将 Microsoft Graph 与 ASP .NET Identity 外部身份验证结合使用

Question

我有一个使用 ASP .NET Framework 的 Web 应用程序。它的一项功能需要访问用户的 Outlook 日历。

目前，应用程序使用常规的 ASP .NET 身份验证，没有 OpenID。它还允许第三方身份验证提供程序。这是我的 Startup 类的代码：

public partial class Startup
{
    private static readonly string APP_ID = WebConfigurationManager.AppSettings["Site_Cert_App_ID"];
    private static readonly string APP_SECRET = WebConfigurationManager.AppSettings["Site_Cert_App_Secret"];

    // For more information on configuring authentication, please visit https://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        // Configure the sign in cookie
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });            
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
        app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

        // Enables the application to remember the second login verification factor such as phone or email.
        // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
        // This is similar to the RememberMe option when you log in.
        app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);

        app.UseMicrosoftAccountAuthentication(new Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationOptions
        {
            ClientId = APP_ID,
            ClientSecret = APP_SECRET,
            Scope = { "offline_access", "User.Read", "Calendars.Read" }
        });
    }
}

由于该应用程序的其他功能与其他微软的服务完全无关，所以我想保留这种身份验证方式，并使用 Microsoft Account 外部登录来使用 Graph API，而不是完整的 OpendID 身份验证过程。但是，我没有找到任何示例，也无法弄清楚如何访问用于外部身份验证的令牌以将其重用于 Graph API。

有简单的方法吗？还是不可能，我必须代表用户实施完整的流程来获取令牌？

Answer 1

您可以尝试以下方法：https://docs.microsoft.com/en-us/graph/auth-v2-user 步骤如下：

• 向 Azure AD 注册您的应用。
• 获得授权。
• 获取访问令牌。
• 使用访问令牌调用 Microsoft Graph。
• 使用刷新令牌获取新的访问令牌。

旁注，要获取特定用户的日历，您可以使用

GET /users/{id | userPrincipalName}/calendars

Documentation MS Graph

Graph Explorer