application：addKey

2024-04-04

命名空间：microsoft.graph

将密钥凭据添加到应用程序。应用程序可以使用此方法和 removeKey 来自动滚动其即将到期的密钥。

注意

创建应用程序和更新应用程序操作可以继续用于添加和更新具有或不具有用户上下文的任何应用程序的密钥凭据。

应仅在向应用程序添加证书凭据时提供公钥值。向应用程序添加私钥证书可能会危及应用程序。

作为此方法请求验证的一部分，在执行操作之前，将验证现有密钥的所有权证明。

如果应用程序没有任何现有有效证书 (尚未添加证书，或者所有证书都已) 过期，则无法使用此服务操作。可改用更新应用程序操作来执行更新。

此 API 可用于以下国家级云部署。

全局服务	美国政府 L4	美国政府 L5 (DOD)	由世纪互联运营的中国
✅	✅	✅	✅

权限

为此 API 选择标记为最低特权的权限。只有在应用需要它时，才使用更高的特权权限。有关委派权限和应用程序权限的详细信息，请参阅权限类型。要了解有关这些权限的详细信息，请参阅权限参考。

权限类型	最低特权权限	更高特权权限
委派（工作或学校帐户）	Application.ReadWrite.All	Directory.ReadWrite.All
委派（个人 Microsoft 帐户）	不支持。	不支持。
应用程序	Application.ReadWrite.OwnedBy	Application.ReadWrite.All、Directory.ReadWrite.All

注意

应用程序不需要任何特定权限即可滚动自己的密钥。

HTTP 请求

可以使用其 ID 或 appId 对应用程序进行寻址。 id 和 appId 在 Microsoft Entra 管理中心中的应用注册中分别称为“对象 ID”和“应用程序 (客户端) ID”。

POST /applications/{id}/addKey
POST /applications(appId='{appId}')/addKey

请求标头

名称	说明
Authorization	持有者 {token}。必填。详细了解身份验证和授权。
Content-Type	application/json. 必需。

请求正文

在请求正文中，提供以下必需属性。

属性	类型	说明
keyCredential	keyCredential	要添加的新应用程序密钥凭据。类型、用法和密钥是此用法的必需属性。支持的密钥类型包括： `AsymmetricX509Cert`：用法必须为 `Verify`。 `X509CertAndPassword`：用法必须为 `Sign`
passwordCredential	passwordCredential	只需要设置 secretText ，它应包含密钥的密码。仅类型为的 `X509CertAndPassword`键需要此属性。否则将其设置为 `null` 。
证明	String	用作现有密钥所有权证明的自签名 JWT 令牌。此 JWT 令牌必须使用与应用程序关联的现有有效证书之一对应的私钥进行签名。令牌应包含以下声明： aud：受众必须是 `00000002-0000-0000-c000-000000000000`。 iss：颁发者必须是发起请求的应用程序的 ID。 nbf：不是在时间之前。 exp：到期时间应为 nbf + 10 分钟的值。有关生成此所有权证明令牌的步骤，请参阅为滚动密钥生成所有权证明令牌。有关声明类型的详细信息，请参阅声明有效负载。

响应

如果成功，此方法在响应正文中返回响应 200 OK 代码和新的 keyCredential 对象。

示例

示例 1：向应用程序添加新密钥凭据

请求

以下示例显示了一个请求。

POST https://graph.microsoft.com/v1.0/applications/{id}/addKey
Content-type: application/json

{
    "keyCredential": {
        "type": "AsymmetricX509Cert",
        "usage": "Verify",
        "key": "MIIDYDCCAki..."
    },
    "passwordCredential": null,
    "proof":"eyJ0eXAiOiJ..."
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Applications.Item.AddKey;
using Microsoft.Graph.Models;

var requestBody = new AddKeyPostRequestBody
{
	KeyCredential = new KeyCredential
	{
		Type = "AsymmetricX509Cert",
		Usage = "Verify",
		Key = Convert.FromBase64String("MIIDYDCCAki..."),
	},
	PasswordCredential = null,
	Proof = "eyJ0eXAiOiJ...",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].AddKey.PostAsync(requestBody);



mgc applications add-key post --application-id {application-id} --body '{\
    "keyCredential": {\
        "type": "AsymmetricX509Cert",\
        "usage": "Verify",\
        "key": "MIIDYDCCAki..."\
    },\
    "passwordCredential": null,\
    "proof":"eyJ0eXAiOiJ..."\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphapplications "github.com/microsoftgraph/msgraph-sdk-go/applications"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphapplications.NewAddKeyPostRequestBody()
keyCredential := graphmodels.NewKeyCredential()
type := "AsymmetricX509Cert"
keyCredential.SetType(&type) 
usage := "Verify"
keyCredential.SetUsage(&usage) 
key := []byte("mIIDYDCCAki...")
keyCredential.SetKey(&key) 
requestBody.SetKeyCredential(keyCredential)
passwordCredential := null
requestBody.SetPasswordCredential(&passwordCredential) 
proof := "eyJ0eXAiOiJ..."
requestBody.SetProof(&proof) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
addKey, err := graphClient.Applications().ByApplicationId("application-id").AddKey().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.applications.item.addkey.AddKeyPostRequestBody addKeyPostRequestBody = new com.microsoft.graph.applications.item.addkey.AddKeyPostRequestBody();
KeyCredential keyCredential = new KeyCredential();
keyCredential.setType("AsymmetricX509Cert");
keyCredential.setUsage("Verify");
byte[] key = Base64.getDecoder().decode("MIIDYDCCAki...");
keyCredential.setKey(key);
addKeyPostRequestBody.setKeyCredential(keyCredential);
addKeyPostRequestBody.setPasswordCredential(null);
addKeyPostRequestBody.setProof("eyJ0eXAiOiJ...");
KeyCredential result = graphClient.applications().byApplicationId("{application-id}").addKey().post(addKeyPostRequestBody);


const options = {
	authProvider,
};

const client = Client.init(options);

const keyCredential = {
    keyCredential: {
        type: 'AsymmetricX509Cert',
        usage: 'Verify',
        key: 'MIIDYDCCAki...'
    },
    passwordCredential: null,
    proof: 'eyJ0eXAiOiJ...'
};

await client.api('/applications/{id}/addKey')
	.post(keyCredential);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Applications\Item\AddKey\AddKeyPostRequestBody;
use Microsoft\Graph\Generated\Models\KeyCredential;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AddKeyPostRequestBody();
$keyCredential = new KeyCredential();
$keyCredential->setType('AsymmetricX509Cert');
$keyCredential->setUsage('Verify');
$keyCredential->setKey(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('MIIDYDCCAki...')));
$requestBody->setKeyCredential($keyCredential);
$requestBody->setPasswordCredential(null);
$requestBody->setProof('eyJ0eXAiOiJ...');

$result = $graphServiceClient->applications()->byApplicationId('application-id')->addKey()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	keyCredential = @{
		type = "AsymmetricX509Cert"
		usage = "Verify"
		key = [System.Text.Encoding]::ASCII.GetBytes("MIIDYDCCAki...")
	}
	passwordCredential = $null
	proof = "eyJ0eXAiOiJ..."
}

Add-MgApplicationKey -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.applications.item.add_key.add_key_post_request_body import AddKeyPostRequestBody
from msgraph.generated.models.key_credential import KeyCredential
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AddKeyPostRequestBody(
	key_credential = KeyCredential(
		type = "AsymmetricX509Cert",
		usage = "Verify",
		key = base64.urlsafe_b64decode("MIIDYDCCAki..."),
	),
	password_credential = None,
	proof = "eyJ0eXAiOiJ...",
)

result = await graph_client.applications.by_application_id('application-id').add_key.post(request_body)

响应

以下示例显示了相应的响应。

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.keyCredential"
}

示例 2：添加密钥凭据和密钥的关联密码

请求