Dynamics CRM 2015/2016 Web API：验证和授权

在上篇文章里面我给大家展示了一些如果使用Web API进行业务处理的URL，让大家对这套新的API有个感性的认识，那么今天，我们来看看怎么在重客户端（非浏览器脚本）下怎么完成权限的授予和验证。

相对于轻客户端（浏览器脚本），在重客户端环境下调用CRM Web API需要考虑权限验证的细节，还好微软已经给我们提供了SDK，免去重复发明轮子的烦恼，让我们有更多的精力放在业务逻辑的实现上面。下面我给大家演示一下怎么在重客户端下完成授权和验证，并调用Create API创建一条客户记录。

首先给大家介绍一下微软为我们提供的授权和验证辅助类，当然下面这个类被我做了微调，这样它就能支持更加复杂的调用场景，比如：CRM Online环境。

// =====================================================================//  This file is part of the Microsoft Dynamics CRM SDK code samples.////  Copyright (C) Microsoft Corporation.  All rights reserved.////  This source code is intended only as a supplement to Microsoft//  Development Tools and/or on-line documentation.  See these other//  materials for detailed information regarding Microsoft code samples.////  THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY//  KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE//  IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A//  PARTICULAR PURPOSE.// =====================================================================using Microsoft.IdentityModel.Clients.ActiveDirectory;using System;using System.Net.Http;using System.Net.Http.Headers;using System.Security;using System.Configuration;namespace Microsoft.Crm.Sdk.Samples.HelperCode{    /// <summary>    /// Manages user authentication with the Dynamics CRM Web API (OData v4) services. This class uses Microsoft Azure    /// Active Directory Authentication Library (ADAL) to handle the OAuth 2.0 protocol.     /// </summary>  public class Authentication    {        #region Constructors        private string _clientId = null;        private string _service = null;        private string _redirectUrl = null;        private string _username = null;        private string _password = null;        //private Configuration _config;        /// <summary>        /// Establishes an authenticaion session for the service.        /// </summary>        /// <param name="config">A populated configuration object.</param>        //public Authentication(Configuration config)        //    : this(config.ClientId, config.ServiceUrl, config.RedirectUrl)        //{        //    _config = config;        //}        /// <summary>        /// Establishes an authenticaion session for the service.        /// </summary>        /// <param name="clientId">The client ID of an Azure Active Directory registered app.</param>        /// <param name="service">The URL of the CRM server root address. For example: https://mydomain.crm.dynamics.com</param>        /// <param name="redirect">The redirect URL of an Azure Active Directory registered app.</param>        public Authentication(String clientId, String service, String redirect, String username, String password)        {            _clientId = clientId;            _service = service;            _redirectUrl = redirect;            _username = username;            _password = password;            _context = new AuthenticationContext(Authority, false);        }        #endregion Constructors        #region Properties        private AuthenticationContext _context = null;        private string _authority = null;        /// <summary>        /// The authentication context.        /// </summary>        public AuthenticationContext Context        { get { return _context; } }        /// <summary>        /// The URL of the authority to be used for authentication.        /// </summary>        public string Authority        {            get            {                if (_authority == null)                    DiscoverAuthority(_service);                return _authority;            }            set { _authority = value; }        }        #endregion Properties        #region Methods        /// <summary>        /// Returns the authentication result for the configured authentication context.        /// </summary>        /// <returns>The refreshed access token.</returns>        /// <remarks>Refresh the access token before every service call to avoid having to manage token expiration.</remarks>        public AuthenticationResult AcquireToken()        {            if (!string.IsNullOrEmpty(_username) && !string.IsNullOrEmpty(_password))            {                UserCredential cred = new UserCredential(_username, _password);                return _context.AcquireToken(_service, _clientId, cred);            }            return _context.AcquireToken(_service, _clientId, new Uri(_redirectUrl));        }        /// <summary>        /// Returns the authentication result for the configured authentication context.        /// </summary>        /// <param name="username">The username of a CRM system user in the target organization. </param>        /// <param name="password">The password of a CRM system user in the target organization.</param>        /// <returns>The authentication result.</returns>        /// <remarks>Setting the username or password parameters to null results in the user being prompted to        /// enter logon credentails. Refresh the access token before every service call to avoid having to manage        /// token expiration.</remarks>        public AuthenticationResult AcquireToken(string username, SecureString password)        {            try            {                if (!string.IsNullOrEmpty(username) && password != null)                {                    UserCredential cred = new UserCredential(username, password);                    return _context.AcquireToken(_service, _clientId, cred);                }            }            catch (Exception e)            {                throw new Exception("Authentication failed. Verify the configuration values are correct.", e);            }            return null;        }        /// <summary>        /// Discover the authentication authority.        /// </summary>        /// <param name="serviceUrl">The URL of the CRM server root address. For example: https://mydomain.crm.dynamics.com</param>        public void DiscoverAuthority(String serviceUrl)        {            try            {                AuthenticationParameters ap = AuthenticationParameters.CreateFromResourceUrlAsync(new Uri(serviceUrl + "/api/data/")).Result;                if (!String.IsNullOrEmpty(ap.Resource))                {                    _service = ap.Resource;                }                _authority = ap.Authority;            }            catch (HttpRequestException e)            {                throw new Exception("An HTTP request exception ocurred during authority discovery.", e);            }        }        #endregion Methods    }}

它的使用也非常的简单，只需要通过少数几行代码就可以获得当前用户的AccessToken。我们在拿到这个Token后，只需要将其添加进Http的header集合里面，则可以为当前请求进行授权处理：

  Authentication auth = new Authentication(clientId, service, redirectUrl, username, password);            //create an account            JObject acc = new JObject();            acc.Add("name", "this account was created by WEB API");            HttpRequestMessage createReq = new HttpRequestMessage(HttpMethod.Post, string.Format("api/data/accounts"));            createReq.Content = new StringContent(JsonConvert.SerializeObject(acc), Encoding.UTF8, "application/json");            createReq.Headers.Authorization = new AuthenticationHeaderValue("Bearer", auth.AcquireToken().AccessToken);            HttpResponseMessage createResponse = await client.SendAsync(createReq).ConfigureAwait(false);            string accountUri = string.Empty;            if (createResponse.IsSuccessStatusCode)            {                var result = await createResponse.Content.ReadAsStringAsync();                accountUri = createResponse.Headers.GetValues("OData-EntityId").FirstOrDefault();            }

是不是很简单呢？ 简单的说，我们现在做的事情，类似于构造API访问代理，有了这个代理，我们就能对服务器上的数据进行操作啦，大家赶紧试试吧！