ConfidentialClientApplication AcquireTokenSilentAsync总是失败

Question

我正在尝试针对Microsoft权限使用OpenIdConnectAuthentication。我可以进行身份​​验证，但是当尝试获取访问令牌时，通话失败，希望我重新进行身份验证，而我却这么做。我似乎从来没有拉适当的令牌。这是获取访问令牌的代码。

public async Task<string> GetUserAccessTokenAsync() 
{ 
    string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value; 
    //string signedInUserID = User.Identity.GetUserId(); 
    tokenCache = new MSALSessionCache(
     signedInUserID, 
     HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase); 
    var cachedItems = tokenCache.ReadItems(appId); // see what's in the cache 

    ConfidentialClientApplication cca = new ConfidentialClientApplication(
     appId, 
     redirectUri, 
     new ClientCredential(appSecret), 
     tokenCache); 

    try 
    { 
     AuthenticationResult result = await cca.AcquireTokenSilentAsync(scopes.Split(new char[] { ' ' })); 
     return result.Token; 
    } 

    // Unable to retrieve the access token silently. 
    catch (MsalSilentTokenAcquisitionException) 
    { 
     HttpContext.Current.Request.GetOwinContext().Authentication.Challenge(
      new AuthenticationProperties() { RedirectUri = "/" }, 
      OpenIdConnectAuthenticationDefaults.AuthenticationType); 

     //throw new Exception("Resource.Error_AuthChallengeNeeded"); 
     return null; 
    } 
} 

我不知道我错过了什么。到目前为止，我已经使用Microsoft Graph REST ASPNET Connect示例来指导我。我的最终目标是验证用户，然后使用他们的个人资料和MS休息API中的一些项目。

Answer 1

我能够跟踪下来。因为我使用的是Asp.net身份验证和UseOpenIdConnectAuthentication，所以我必须手动将外部登录声明添加到ClaimsPrincipal。这个我什么我ExternalLoginCallback（字符串RETURNURL）看起来像：

 public async Task<ActionResult> ExternalLoginCallback(string returnUrl) 
    { 
     var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(); 
     if (loginInfo == null) 
     { 
      return RedirectToAction("Login"); 
     } 

     // Sign in the user with this external login provider if the user already has a login 
     var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false); 

     logger.Info(loginInfo.Email + " attempted an external login with a result of " + result.ToString()); 

     switch (result) 
     { 
      case SignInStatus.Success:     
       foreach (Claim c in loginInfo.ExternalIdentity.Claims) 
       { 
        SignInManager.AuthenticationManager.AuthenticationResponseGrant.Identity.AddClaim(new Claim(c.Type + "_external", c.Value)); 
       } 

       var user = UserManager.FindById(SignInManager.AuthenticationManager.AuthenticationResponseGrant.Identity.GetUserId()); 

       user.LastLogin = DateTime.Now.ToUniversalTime(); 
       await UserManager.UpdateAsync(user); 

       return RedirectToLocal(returnUrl); 
      case SignInStatus.LockedOut: 
       return View("Lockout"); 
      case SignInStatus.RequiresVerification: 
       return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = false }); 
      case SignInStatus.Failure: 
      default: 
       // If the user does not have an account, then prompt the user to create an account 
       ViewBag.ReturnUrl = returnUrl; 
       ViewBag.LoginProvider = loginInfo.Login.LoginProvider; 
       return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = loginInfo.Email }); 
     } 
    } 

由于外部标识与相匹配的asp.net身份名称的要求，我不得不重新命名的蛤蜊。然后还可以在代码中随时随地调整以寻找外部身份声明。