search

microsoftgraph / msgraph-sdk-dotnet-auth

Archived - use the TokenCredential classes provided by Azure.Identity. https://docs.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme
https://graph.microsoft.com
MIT License
78 stars 19 forks source link

UserAssertion null in OBO provider #31

Closed rjhaines closed 5 years ago

rjhaines commented 5 years ago

I'm seeing a null UserAssertion parameter value on the first call to OnBehalfOfProvider.AuthenticateRequestAsync:

image

I'd appreciate any insights. Thanks!

peombwa commented 5 years ago

@rjhaines You need to call .WithUserAssertion passing a validated service token as a UserAssertion. Here is an example of how to do that.

// Create client application.
IConfidentialClientApplication clientApplication = OnBehalfOfProvider.CreateClientApplication(clientId, redirectUri, clientCredential);
OnBehalfOfProvider authenticationProvider = new OnBehalfOfProvider(clientApplication, scopes);

// Configure GraphServiceClient with provider.
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

// Make a request with your user assertion
User me = await graphServiceClient.Me.Request().WithUserAssertion(new UserAssertion("validated_token")).GetAsync();

We will add documentation that explains how to use and extend our auth providers.

rjhaines commented 5 years ago

@pwombwa Thanks for your comment and proposed follow-ups.

In the meantime, can you provide a quick direction on acquiring the service token? So far I've tried ConfidentialClientApplication.AcquireTokenForClientAsync yet end up with an error: AADSTS50013: Assertion failed signature validation.

I'm currently using a client secret. Thanks for any further help you can provide.

peombwa commented 5 years ago

@rjhaines You can take a look at this guide from MSAL that explains how the OBO flow should be used. According to the guide, your client (web, desktop, mobile, single-page application) should call your service (API) as a user - use an auth flow that calls an API in the name of a user and not an app. AcquireTokenForClientAsync (Client Credential Flow) calls the API as an app and not a user.

You can call your service with either authorization code flow (web app) or interactice authentication (desktop and mobile). This sample by MSAL shows how to make a call from a desktop app to a service via interactive auth, then call Graph from the service via on behalf of flow.