How to get AD access token and pass it to web api controller?

问题

How to get AD access token from login.microsoftonline.com and pass access token to web api controller? as I need "access token" as such to pass on to another partner company website url via post request.

Below code doing AAD authentication as expected but also I need "access token" as such,

public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.Authority = options.Authority + "/v2.0/";


            options.TokenValidationParameters.ValidateIssuer = false;
        });

        services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        })
        .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

回答1:

Above code snippet attached in the original post, not exposing access token but internally it manage to get access token & validating, how to do it more transparent way?

You can get tokens after authentication :

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
    options.Authority = options.Authority + "/v2.0/";         // Microsoft identity platform
    options.SaveTokens = true;
    options.TokenValidationParameters.ValidateIssuer = false; // accept several tenants (here simplified)
});

And get tokes in controller :

var idToken = await HttpContext.GetTokenAsync("id_token"); 

But with your code snippets it won't return access token since you are implement the sign-in process , not token request . You shall use ADAL/MSAL to get access token for accessing the protected APIs . See code samples here .

where I get access token & validate it using custom code for better understanding.

You can understand the validation of token signature from here and here .

回答2:

Hi please download and follow the instructions provided in the sample. It helps you set up a Web APi first and provides a client application that first signs in a user and then obtains an Access Token for a web Api

How to secure a Web API built with ASP.NET Core

Once you can get the sample to work, you can replace the sample's Web Api with your partner's Web Api.

来源：https://stackoverflow.com/questions/60935389/how-to-get-ad-access-token-and-pass-it-to-web-api-controller