Use Graph API with ASP.NET Core Blazor WebAssembly
This article explains how to use Microsoft Graph API, which is a RESTful web API that enables apps to access Microsoft Cloud service resources.
Graph SDK
Microsoft Graph SDKs are designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
The examples in this section require package references for the standalone or Client app:
Note
For guidance on adding packages to .NET apps, see the articles under Install and manage packages at Package consumption workflow (NuGet documentation). Confirm correct package versions at NuGet.org.
The following utility classes and configuration are used in each of the following subsections of this article:
After adding the Microsoft Graph API scopes in the AAD area of the Azure portal:
- Add the following
GraphClientExtensions.csclass to the standalone app orClientapp of a hosted Blazor WebAssembly solution. - Provide the required scopes to the Scopes property of the AccessTokenRequestOptions in the
AuthenticateRequestAsyncmethod. In the following example, theUser.Readscope is specified to match the examples in later sections of this article.
using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.Authentication.WebAssembly.Msal.Models;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Graph;
internal static class GraphClientExtensions
{
public static IServiceCollection AddGraphClient(
this IServiceCollection services, params string[] scopes)
{
services.Configure<RemoteAuthenticationOptions<MsalProviderOptions>>(
options =>
{
foreach (var scope in scopes)
{
options.ProviderOptions.AdditionalScopesToConsent.Add(scope);
}
});
services.AddScoped<IAuthenticationProvider,
NoOpGraphAuthenticationProvider>();
services.AddScoped<IHttpProvider, HttpClientHttpProvider>(sp =>
new HttpClientHttpProvider(new HttpClient()));
services.AddScoped(sp =>
{
return new GraphServiceClient(
sp.GetRequiredService<IAuthenticationProvider>(),
sp.GetRequiredService<IHttpProvider>());
});
return services;
}
private class NoOpGraphAuthenticationProvider : IAuthenticationProvider
{
public NoOpGraphAuthenticationProvider(IAccessTokenProvider tokenProvider)
{
TokenProvider = tokenProvider;
}
public IAccessTokenProvider TokenProvider { get; }
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
var result = await TokenProvider.RequestAccessToken(
new AccessTokenRequestOptions()
{
Scopes = new[] { "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" }
});
if (result.TryGetToken(out var token))
{
request.Headers.Authorization ??= new AuthenticationHeaderValue(
"Bearer", token.Value);
}
}
}
private class HttpClientHttpProvider : IHttpProvider
{
private readonly HttpClient http;
public HttpClientHttpProvider(HttpClient http)
{
this.http = http;
}
public ISerializer Serializer { get; } = new Serializer();
public TimeSpan OverallTimeout { get; set; } = TimeSpan.FromSeconds(300);
public void Dispose()
{
}
public Task<HttpResponseMessage> SendAsync(HttpRequestMessage request)
{
return http.SendAsync(request);
}
public Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
HttpCompletionOption completionOption,
CancellationToken cancellationToken)
{
return http.SendAsync(request, completionOption, cancellationToken);
}
}
}
The scope placeholders "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" in the preceding code represent one or more permitted scopes. For example, set Scopes to a string array of one scope for User.Read for the examples in the following sections of this article:
Scopes = new[] { "https://graph.microsoft.com/User.Read" }
In Program.cs, add the Graph client services and configuration with the AddGraphClient extension method:
builder.Services.AddGraphClient("{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}");
The scope placeholders "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" in the preceding code represent one or more permitted scopes. For example, pass the User.Read scope to AddGraphClient for the examples in the following sections of this article:
builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");
Call Graph API from a component using the Graph SDK
This section uses the utility classes (GraphClientExtensions.cs) described earlier in this article. The following GraphExample component uses an injected GraphServiceClient to obtain the user's AAD profile data and display their mobile phone number:
@page "/GraphExample"
@using Microsoft.AspNetCore.Authorization
@using Microsoft.Graph
@attribute [Authorize]
@inject GraphServiceClient GraphClient
<h3>Graph Client Example</h3>
@if (user != null)
{
<p>Mobile Phone: @user.MobilePhone</p>
}
@code {
private User user;
protected override async Task OnInitializedAsync()
{
var request = GraphClient.Me.Request();
user = await request.GetAsync();
}
}
Customize user claims with the Graph SDK
This section uses the utility classes (GraphClientExtensions.cs) described earlier in this article.
In the following example, the app creates a mobile phone number claim for a user from their AAD user profile's mobile phone number. The app must have the User.Read Graph API scope configured in AAD.
In the following custom user account factory, the framework's RemoteUserAccount represents the user's account. If the app requires a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code.
CustomAccountFactory.cs:
using System;
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Graph;
public class CustomAccountFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
{
private readonly ILogger<CustomAccountFactory> logger;
private readonly IServiceProvider serviceProvider;
public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
IServiceProvider serviceProvider,
ILogger<CustomAccountFactory> logger)
: base(accessor)
{
this.serviceProvider = serviceProvider;
this.logger = logger;
}
public override async ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var graphClient = ActivatorUtilities
.CreateInstance<GraphServiceClient>(serviceProvider);
var request = graphClient.Me.Request();
var user = await request.GetAsync();
if (user != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
user.MobilePhone));
}
}
catch (ServiceException exception)
{
logger.LogError("Graph API service failure: {Message}",
exception.Message);
}
}
return initialUser;
}
}
In Program.cs, configure the MSAL authentication to use the custom user account factory: If the app uses a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code:
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.Extensions.Configuration;
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
RemoteUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add(
"https://graph.microsoft.com/User.Read");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, RemoteUserAccount,
CustomAccountFactory>();
Named client with Graph API
The examples in this section use a named HttpClient for Graph API to obtain a user's mobile phone number to process a call.
The examples in this section require a package reference for Microsoft.Extensions.Http for the standalone or Client app.
Note
For guidance on adding packages to .NET apps, see the articles under Install and manage packages at Package consumption workflow (NuGet documentation). Confirm correct package versions at NuGet.org.
Create the following class and project configuration for working with Graph API. The following class and configuration are used in each of the following subsections of this article:
After adding the Microsoft Graph API scopes in the AAD area of the Azure portal, provide the required scopes to the app's configured handler for Graph API. The following example configures the handler for the User.Read scope. Additional scopes can be added.
GraphAuthorizationMessageHandler.cs:
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
public class GraphAPIAuthorizationMessageHandler : AuthorizationMessageHandler
{
public GraphAPIAuthorizationMessageHandler(IAccessTokenProvider provider,
NavigationManager navigationManager)
: base(provider, navigationManager)
{
ConfigureHandler(
authorizedUrls: new[] { "https://graph.microsoft.com" },
scopes: new[] { "https://graph.microsoft.com/User.Read" });
}
}
In Program.cs, configure the named HttpClient for Graph API:
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
Call Graph API from a component
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In a Razor component:
- Create an HttpClient for Graph API and issue a request for the user's profile data.
- The
UserInfo.csclass designates the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties.
Pages/CallUser.razor:
@page "/CallUser"
@using System.ComponentModel.DataAnnotations
@using System.Text.Json.Serialization
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@using Microsoft.Extensions.Logging
@inject IAccessTokenProvider TokenProvider
@inject IHttpClientFactory ClientFactory
@inject ILogger<CallUser> Logger
<h3>Call User</h3>
<EditForm Model="@callInfo" OnValidSubmit="@HandleValidSubmit">
<DataAnnotationsValidator />
<ValidationSummary />
<p>
<label>
Message:
<InputTextArea @bind-Value="callInfo.Message" />
</label>
</p>
<button type="submit">Place call</button>
<p>
@formStatus
</p>
</EditForm>
@code {
private string formStatus;
private CallInfo callInfo = new CallInfo();
private async Task HandleValidSubmit()
{
var tokenResult = await TokenProvider.RequestAccessToken(
new AccessTokenRequestOptions
{
Scopes = new[] { "https://graph.microsoft.com/User.Read" }
});
if (tokenResult.TryGetToken(out var token))
{
var client = ClientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
// Use userInfo.MobilePhone and callInfo.Message to make a call
formStatus = "Form successfully processed.";
Logger.LogInformation(
$"Form successfully processed at {DateTime.UtcNow}. " +
$"Mobile Phone: {userInfo.MobilePhone}");
}
}
else
{
formStatus = "There was a problem processing the form.";
Logger.LogError("Token failure");
}
}
private class CallInfo
{
[Required]
[StringLength(1000, ErrorMessage = "Message too long (1,000 char limit)")]
public string Message { get; set; }
}
private class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
}
Customize user claims with Graph API and a named client
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In the following example, the app creates a mobile phone number claim for the user from their AAD user profile's mobile phone number. The app must have the User.Read Graph API scope configured in AAD.
Add a UserInfo.cs class to the app and designate the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties:
using System.Text.Json.Serialization;
public class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
In the following custom user account factory, the framework's RemoteUserAccount represents the user's account. If the app requires a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code.
CustomAccountFactory.cs:
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
using Microsoft.Extensions.Logging;
public class CustomAccountFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
{
private readonly ILogger<CustomAccountFactory> logger;
private readonly IHttpClientFactory clientFactory;
public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
IHttpClientFactory clientFactory,
ILogger<CustomAccountFactory> logger)
: base(accessor)
{
this.clientFactory = clientFactory;
this.logger = logger;
}
public override async ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var client = clientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
userInfo.MobilePhone));
}
}
catch (AccessTokenNotAvailableException exception)
{
logger.LogError("Graph API access token failure: {Message}",
exception.Message);
}
}
return initialUser;
}
}
In Program.cs, configure the MSAL authentication to use the custom user account factory: If the app uses a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code:
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
...
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
RemoteUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, RemoteUserAccount,
CustomAccountFactory>();
The preceding example is for an app that uses AAD authentication with MSAL. Similar patterns exist for OIDC and API authentication. For more information, see the examples in Customize the user with a payload claim section.
Graph SDK
Microsoft Graph SDKs are designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
The examples in this section require package references for the standalone or Client app:
Note
For guidance on adding packages to .NET apps, see the articles under Install and manage packages at Package consumption workflow (NuGet documentation). Confirm correct package versions at NuGet.org.
The following utility classes and configuration are used in each of the following subsections of this article:
After adding the Microsoft Graph API scopes in the AAD area of the Azure portal:
- Add the following
GraphClientExtensions.csclass to the standalone app orClientapp of a hosted Blazor WebAssembly solution. - Provide the required scopes to the Scopes property of the AccessTokenRequestOptions in the
AuthenticateRequestAsyncmethod. In the following example, theUser.Readscope is specified to match the examples in later sections of this article.
using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.Authentication.WebAssembly.Msal.Models;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Graph;
internal static class GraphClientExtensions
{
public static IServiceCollection AddGraphClient(
this IServiceCollection services, params string[] scopes)
{
services.Configure<RemoteAuthenticationOptions<MsalProviderOptions>>(
options =>
{
foreach (var scope in scopes)
{
options.ProviderOptions.AdditionalScopesToConsent.Add(scope);
}
});
services.AddScoped<IAuthenticationProvider,
NoOpGraphAuthenticationProvider>();
services.AddScoped<IHttpProvider, HttpClientHttpProvider>(sp =>
new HttpClientHttpProvider(new HttpClient()));
services.AddScoped(sp =>
{
return new GraphServiceClient(
sp.GetRequiredService<IAuthenticationProvider>(),
sp.GetRequiredService<IHttpProvider>());
});
return services;
}
private class NoOpGraphAuthenticationProvider : IAuthenticationProvider
{
public NoOpGraphAuthenticationProvider(IAccessTokenProvider tokenProvider)
{
TokenProvider = tokenProvider;
}
public IAccessTokenProvider TokenProvider { get; }
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
var result = await TokenProvider.RequestAccessToken(
new AccessTokenRequestOptions()
{
Scopes = new[] { "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" }
});
if (result.TryGetToken(out var token))
{
request.Headers.Authorization ??= new AuthenticationHeaderValue(
"Bearer", token.Value);
}
}
}
private class HttpClientHttpProvider : IHttpProvider
{
private readonly HttpClient http;
public HttpClientHttpProvider(HttpClient http)
{
this.http = http;
}
public ISerializer Serializer { get; } = new Serializer();
public TimeSpan OverallTimeout { get; set; } = TimeSpan.FromSeconds(300);
public void Dispose()
{
}
public Task<HttpResponseMessage> SendAsync(HttpRequestMessage request)
{
return http.SendAsync(request);
}
public Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
HttpCompletionOption completionOption,
CancellationToken cancellationToken)
{
return http.SendAsync(request, completionOption, cancellationToken);
}
}
}
The scope placeholders "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" in the preceding code represent one or more permitted scopes. For example, set Scopes to a string array of one scope for User.Read for the examples in the following sections of this article:
Scopes = new[] { "https://graph.microsoft.com/User.Read" }
In Program.cs, add the Graph client services and configuration with the AddGraphClient extension method:
builder.Services.AddGraphClient("{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}");
The scope placeholders "{SCOPE 1}", "{SCOPE 2}", ... "{SCOPE X}" in the preceding code represent one or more permitted scopes. For example, pass the User.Read scope to AddGraphClient for the examples in the following sections of this article:
builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");
Call Graph API from a component using the Graph SDK
This section uses the utility classes (GraphClientExtensions.cs) described earlier in this article. The following GraphExample component uses an injected GraphServiceClient to obtain the user's AAD profile data and display their mobile phone number:
@page "/GraphExample"
@using Microsoft.AspNetCore.Authorization
@using Microsoft.Graph
@attribute [Authorize]
@inject GraphServiceClient GraphClient
<h3>Graph Client Example</h3>
@if (user != null)
{
<p>Mobile Phone: @user.MobilePhone</p>
}
@code {
private User user;
protected override async Task OnInitializedAsync()
{
var request = GraphClient.Me.Request();
user = await request.GetAsync();
}
}
Customize user claims with the Graph SDK
This section uses the utility classes (GraphClientExtensions.cs) described earlier in this article.
In the following example, the app creates a mobile phone number claim for a user from their AAD user profile's mobile phone number. The app must have the User.Read Graph API scope configured in AAD.
In the following custom user account factory, the framework's RemoteUserAccount represents the user's account. If the app requires a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code.
CustomAccountFactory.cs:
using System;
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Graph;
public class CustomAccountFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
{
private readonly ILogger<CustomAccountFactory> logger;
private readonly IServiceProvider serviceProvider;
public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
IServiceProvider serviceProvider,
ILogger<CustomAccountFactory> logger)
: base(accessor)
{
this.serviceProvider = serviceProvider;
this.logger = logger;
}
public override async ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var graphClient = ActivatorUtilities
.CreateInstance<GraphServiceClient>(serviceProvider);
var request = graphClient.Me.Request();
var user = await request.GetAsync();
if (user != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
user.MobilePhone));
}
}
catch (ServiceException exception)
{
logger.LogError("Graph API service failure: {Message}",
exception.Message);
}
}
return initialUser;
}
}
In Program.cs, configure the MSAL authentication to use the custom user account factory: If the app uses a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code:
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.Extensions.Configuration;
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
RemoteUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add(
"https://graph.microsoft.com/User.Read");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, RemoteUserAccount,
CustomAccountFactory>();
Named client with Graph API
The examples in this section use a named HttpClient for Graph API to obtain a user's mobile phone number to process a call.
The examples in this section require a package reference for Microsoft.Extensions.Http for the standalone or Client app.
Note
For guidance on adding packages to .NET apps, see the articles under Install and manage packages at Package consumption workflow (NuGet documentation). Confirm correct package versions at NuGet.org.
Create the following class and project configuration for working with Graph API. The following class and configuration are used in each of the following subsections of this article:
After adding the Microsoft Graph API scopes in the AAD area of the Azure portal, provide the required scopes to the app's configured handler for Graph API. The following example configures the handler for the User.Read scope. Additional scopes can be added.
GraphAuthorizationMessageHandler.cs:
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
public class GraphAPIAuthorizationMessageHandler : AuthorizationMessageHandler
{
public GraphAPIAuthorizationMessageHandler(IAccessTokenProvider provider,
NavigationManager navigationManager)
: base(provider, navigationManager)
{
ConfigureHandler(
authorizedUrls: new[] { "https://graph.microsoft.com" },
scopes: new[] { "https://graph.microsoft.com/User.Read" });
}
}
In Program.cs, configure the named HttpClient for Graph API:
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
Call Graph API from a component
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In a Razor component:
- Create an HttpClient for Graph API and issue a request for the user's profile data.
- The
UserInfo.csclass designates the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties.
Pages/CallUser.razor:
@page "/CallUser"
@using System.ComponentModel.DataAnnotations
@using System.Text.Json.Serialization
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@using Microsoft.Extensions.Logging
@inject IAccessTokenProvider TokenProvider
@inject IHttpClientFactory ClientFactory
@inject ILogger<CallUser> Logger
<h3>Call User</h3>
<EditForm Model="@callInfo" OnValidSubmit="@HandleValidSubmit">
<DataAnnotationsValidator />
<ValidationSummary />
<p>
<label>
Message:
<InputTextArea @bind-Value="callInfo.Message" />
</label>
</p>
<button type="submit">Place call</button>
<p>
@formStatus
</p>
</EditForm>
@code {
private string formStatus;
private CallInfo callInfo = new CallInfo();
private async Task HandleValidSubmit()
{
var tokenResult = await TokenProvider.RequestAccessToken(
new AccessTokenRequestOptions
{
Scopes = new[] { "https://graph.microsoft.com/User.Read" }
});
if (tokenResult.TryGetToken(out var token))
{
var client = ClientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
// Use userInfo.MobilePhone and callInfo.Message to make a call
formStatus = "Form successfully processed.";
Logger.LogInformation(
$"Form successfully processed at {DateTime.UtcNow}. " +
$"Mobile Phone: {userInfo.MobilePhone}");
}
}
else
{
formStatus = "There was a problem processing the form.";
Logger.LogError("Token failure");
}
}
private class CallInfo
{
[Required]
[StringLength(1000, ErrorMessage = "Message too long (1,000 char limit)")]
public string Message { get; set; }
}
private class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
}
Customize user claims with Graph API and a named client
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In the following example, the app creates a mobile phone number claim for the user from their AAD user profile's mobile phone number. The app must have the User.Read Graph API scope configured in AAD.
Add a UserInfo.cs class to the app and designate the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties:
using System.Text.Json.Serialization;
public class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
In the following custom user account factory, the framework's RemoteUserAccount represents the user's account. If the app requires a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code.
CustomAccountFactory.cs:
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
using Microsoft.Extensions.Logging;
public class CustomAccountFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
{
private readonly ILogger<CustomAccountFactory> logger;
private readonly IHttpClientFactory clientFactory;
public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
IHttpClientFactory clientFactory,
ILogger<CustomAccountFactory> logger)
: base(accessor)
{
this.clientFactory = clientFactory;
this.logger = logger;
}
public override async ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var client = clientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
userInfo.MobilePhone));
}
}
catch (AccessTokenNotAvailableException exception)
{
logger.LogError("Graph API access token failure: {Message}",
exception.Message);
}
}
return initialUser;
}
}
In Program.cs, configure the MSAL authentication to use the custom user account factory: If the app uses a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code:
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
...
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
RemoteUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, RemoteUserAccount,
CustomAccountFactory>();
The preceding example is for an app that uses AAD authentication with MSAL. Similar patterns exist for OIDC and API authentication. For more information, see the examples in Customize the user with a payload claim section.
Named client with Graph API
The examples in this section use a named HttpClient for Graph API to obtain a user's mobile phone number to process a call.
The examples in this section require a package reference for Microsoft.Extensions.Http for the standalone or Client app.
Note
For guidance on adding packages to .NET apps, see the articles under Install and manage packages at Package consumption workflow (NuGet documentation). Confirm correct package versions at NuGet.org.
Create the following class and project configuration for working with Graph API. The following class and configuration are used in each of the following subsections of this article:
After adding the Microsoft Graph API scopes in the AAD area of the Azure portal, provide the required scopes to the app's configured handler for Graph API. The following example configures the handler for the User.Read scope. Additional scopes can be added.
GraphAuthorizationMessageHandler.cs:
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
public class GraphAPIAuthorizationMessageHandler : AuthorizationMessageHandler
{
public GraphAPIAuthorizationMessageHandler(IAccessTokenProvider provider,
NavigationManager navigationManager)
: base(provider, navigationManager)
{
ConfigureHandler(
authorizedUrls: new[] { "https://graph.microsoft.com" },
scopes: new[] { "https://graph.microsoft.com/User.Read" });
}
}
In Program.cs, configure the named HttpClient for Graph API:
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
Call Graph API from a component
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In a Razor component:
- Create an HttpClient for Graph API and issue a request for the user's profile data.
- The
UserInfo.csclass designates the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties.
Pages/CallUser.razor:
@page "/CallUser"
@using System.ComponentModel.DataAnnotations
@using System.Text.Json.Serialization
@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
@using Microsoft.Extensions.Logging
@inject IAccessTokenProvider TokenProvider
@inject IHttpClientFactory ClientFactory
@inject ILogger<CallUser> Logger
<h3>Call User</h3>
<EditForm Model="@callInfo" OnValidSubmit="@HandleValidSubmit">
<DataAnnotationsValidator />
<ValidationSummary />
<p>
<label>
Message:
<InputTextArea @bind-Value="callInfo.Message" />
</label>
</p>
<button type="submit">Place call</button>
<p>
@formStatus
</p>
</EditForm>
@code {
private string formStatus;
private CallInfo callInfo = new CallInfo();
private async Task HandleValidSubmit()
{
var tokenResult = await TokenProvider.RequestAccessToken(
new AccessTokenRequestOptions
{
Scopes = new[] { "https://graph.microsoft.com/User.Read" }
});
if (tokenResult.TryGetToken(out var token))
{
var client = ClientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
// Use userInfo.MobilePhone and callInfo.Message to make a call
formStatus = "Form successfully processed.";
Logger.LogInformation(
$"Form successfully processed at {DateTime.UtcNow}. " +
$"Mobile Phone: {userInfo.MobilePhone}");
}
}
else
{
formStatus = "There was a problem processing the form.";
Logger.LogError("Token failure");
}
}
private class CallInfo
{
[Required]
[StringLength(1000, ErrorMessage = "Message too long (1,000 char limit)")]
public string Message { get; set; }
}
private class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
}
Customize user claims with Graph API and a named client
This section uses the Graph Authorization Message Handler (GraphAuthorizationMessageHandler.cs) and Program.cs additions to the app described earlier in this article, which provides a named HttpClient for Graph API.
In the following example, the app creates a mobile phone number claim for the user from their AAD user profile's mobile phone number. The app must have the User.Read Graph API scope configured in AAD.
Add a UserInfo.cs class to the app and designate the required user profile properties with the JsonPropertyNameAttribute attribute and the JSON name used by AAD for those properties:
using System.Text.Json.Serialization;
public class UserInfo
{
[JsonPropertyName("mobilePhone")]
public string MobilePhone { get; set; }
}
In the following custom user account factory, the framework's RemoteUserAccount represents the user's account. If the app requires a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code.
CustomAccountFactory.cs:
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
using Microsoft.Extensions.Logging;
public class CustomAccountFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
{
private readonly ILogger<CustomAccountFactory> logger;
private readonly IHttpClientFactory clientFactory;
public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
IHttpClientFactory clientFactory,
ILogger<CustomAccountFactory> logger)
: base(accessor)
{
this.clientFactory = clientFactory;
this.logger = logger;
}
public override async ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
try
{
var client = clientFactory.CreateClient("GraphAPI");
var userInfo = await client.GetFromJsonAsync<UserInfo>("v1.0/me");
if (userInfo != null)
{
userIdentity.AddClaim(new Claim("mobilephone",
userInfo.MobilePhone));
}
}
catch (AccessTokenNotAvailableException exception)
{
logger.LogError("Graph API access token failure: {Message}",
exception.Message);
}
}
return initialUser;
}
}
In Program.cs, configure the MSAL authentication to use the custom user account factory: If the app uses a custom user account class that extends RemoteUserAccount, swap the custom user account class for RemoteUserAccount in the following code:
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
...
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
RemoteUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, RemoteUserAccount,
CustomAccountFactory>();
The preceding example is for an app that uses AAD authentication with MSAL. Similar patterns exist for OIDC and API authentication. For more information, see the examples in Customize the user with a payload claim section.
Povratne informacije
Pošalјite i prikažite povratne informacije za