获得401（未授权）错误

Question

我已经实现了在角4.After用户使用Azure的Active Directory的多租户应用程序登录到我的应用我能够得到用户的info.But用户的照片是没有从Active Directory中获得，因为我实现了Graph API，如下面的代码片段所示。

public Task<UserDto> getPhoto(TenantDto tenantDto) 
    { 
     var client = new HttpClient(); 
     client.BaseAddress = new Uri(String.Format("https://graph.windows.net/{0}/users/{1}/thumbnailPhoto?api-version=1.6", tenantDto.tenantKey, tenantDto.email)); 
     client.DefaultRequestHeaders.Accept.Clear(); 
     client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("image/jpeg")); 
     client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tenantDto.token); 
     HttpResponseMessage response = client.GetAsync("").Result; 
     if (response.IsSuccessStatusCode) 
     { 
      return null; 
      //Status status = response.Content.ReadAsAsync<Status>().Result; 
      //if (status.Code == 200) 
      // InBoundResponse = JsonConvert.DeserializeObject<InBoundCallResponse>(status.Data.ToString()); 
      //return InBoundResponse; 
     } 
     else 
     { 
      return null; 
     } 
    } 

这里tenantDto.token不过是一个登录的用户“令牌”虽然调用此图形API我得到401 (Unauthorized)错误。我尝试了所有，但没有用。 我已经改变了图形API设定S1在Active Directory应用程序也喜欢下面附件

另外我有下面的代码它的工作只针对单租户

[Route("AdUserImage"), HttpGet] 
    public async Task<HttpResponseMessage> userImage() 
    { 
     var authContext = new AuthenticationContext("https://login.windows.net/sampletest.onmicrosoft.com/oauth2/token"); 
     var credential = new ClientCredential(clientID, clientSecret); 
     ActiveDirectoryClient directoryClient = new ActiveDirectoryClient(serviceRoot, async() => 
     { 
      var result = await authContext.AcquireTokenAsync("https://graph.windows.net/", credential); 
      return result.AccessToken; 
     }); 

     var user = await directoryClient.Users.Where(x => x.UserPrincipalName == "balu@sampletest.onmicrosoft.com").ExecuteSingleAsync(); 
     DataServiceStreamResponse photo = await user.ThumbnailPhoto.DownloadAsync(); 
     using (MemoryStream s = new MemoryStream()) 
     { 
      photo.Stream.CopyTo(s); 
      var encodedImage = Convert.ToBase64String(s.ToArray()); 
     } 
     //string token = await HttpAppAuthenticationAsync(); 
     Status status = new Status("OK"); 
     status = new Status("Found", null, "User exists."); 

     return Request.CreateResponse(HttpStatusCode.OK, status, _jsonMediaTypeFormatter); 
    } 

试图像，但我需要实现多租户应用程序。

知道的任何答案。提前

感谢........！

Answer 1

委托用户的令牌：

1 .Acquire经由隐流令牌：

https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=token&client_id={clientId}&redirect_uri={redirect_uri}&resource=https%3A%2F%2Fgraph.windows.net&nonce={nonce} 

2 .CALL天青AD格拉夫

GET: https://graph.windows.net/{tenant}/me/thumbnailPhoto?api-version=1.6 
Content-Type: image/jpeg 

应用令牌：

1 .Acquire通过客户端凭证令牌流

POST:https://login.microsoftonline.com/{tenant}/oauth2/token 
grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&resource=https%3A%2F%2Fgraph.windows.net 

2 .CALL在Azure AD图形

GET:https://graph.windows.net/{tenant}/users/{upn}/thumbnailPhoto?api-version=1.6 
Content-Type: image/jpeg 

如果你只拿到的照片缩略图登录用户的多个租户，您应该登录，与Azure的AD第一，并获得了代表用户的访问令牌，并使用该令牌调用Azure的AD图REST。这两种令牌的区别，您可以参考以下链接：

Get access on behalf of a user

Get access without a user