调用 Web API 的 Web 应用:获取应用的令牌A web app that calls web APIs: Acquire a token for the app

你已构建了客户端应用程序对象。You've built your client application object. 现在,你将使用它获取令牌来调用 Web API。Now, you'll use it to acquire a token to call a web API. 在 ASP.NET 或 ASP.NET Core 中,调用 Web API 是在控制器中完成的。In ASP.NET or ASP.NET Core, calling a web API is done in the controller:

  • 使用令牌缓存获取 Web API 的令牌。Get a token for the web API by using the token cache. 若要获取此令牌,请调用 MSAL AcquireTokenSilent 方法(或 Microsoft.Identity.Web 中的等效方法)。To get this token, you call the MSAL AcquireTokenSilent method (or the equivalent in Microsoft.Identity.Web).
  • 调用受保护的 API,将访问令牌作为参数传递给它。Call the protected API, passing the access token to it as a parameter.

控制器方法受 [Authorize] 属性的保护,该属性会强制经身份验证的用户使用 Web 应用。The controller methods are protected by an [Authorize] attribute that forces users being authenticated to use the web app. 下面是用于调用 Microsoft Graph 的代码:Here's the code that calls Microsoft Graph:

[Authorize]
public class HomeController : Controller
{
 readonly ITokenAcquisition tokenAcquisition;

 public HomeController(ITokenAcquisition tokenAcquisition)
 {
  this.tokenAcquisition = tokenAcquisition;
 }

 // Code for the controller actions (see code below)

}

ITokenAcquisition 服务是由 ASP.NET 通过使用依赖项注入来注入的。The ITokenAcquisition service is injected by ASP.NET by using dependency injection.

下面是 HomeController 的操作的简化代码,该操作获取令牌来调用 Microsoft Graph:Here's simplified code for the action of the HomeController, which gets a token to call Microsoft Graph:

[AuthorizeForScopes(Scopes = new[] { "https://microsoftgraph.chinacloudapi.cn/user.read" })]
public async Task<IActionResult> Profile()
{
 // Acquire the access token.
 string[] scopes = new string[]{"https://microsoftgraph.chinacloudapi.cn/user.read"};
 string accessToken = await tokenAcquisition.GetAccessTokenForUserAsync(scopes);

 // Use the access token to call a protected web API.
 HttpClient client = new HttpClient();
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
 string json = await client.GetStringAsync(url);
}

若要更好地了解此方案所需的代码,请参阅 ms-identity-aspnetcore-webapp-tutorial 教程的阶段 2(2-1-Web 应用调用 Microsoft Graph)步骤。To better understand the code required for this scenario, see the phase 2 (2-1-Web app Calls Microsoft Graph) step of the ms-identity-aspnetcore-webapp-tutorial tutorial.

在控制器操作顶部(如果你使用 Razor 模板,则为 Razor 页面顶部)的 AuthorizeForScopes 属性由 Microsoft.Identity.Web 提供。The AuthorizeForScopes attribute on top of the controller action (or of the Razor page if you use a Razor template) is provided by Microsoft.Identity.Web. 它确保在需要时以增量方式要求用户提供许可。It ensures that the user is asked for consent if needed, and incrementally.

还有其他复杂的变化形式,例如:There are other complex variations, such as:

  • 调用多个 API。Calling several APIs.
  • 处理增量许可和条件访问。Processing incremental consent and conditional access.

3-WebApp-multi-APIs 教程的第 3 章中涵盖了这些高级步骤。These advanced steps are covered in chapter 3 of the 3-WebApp-multi-APIs tutorial.

后续步骤Next steps