asp.net azure活动目录用户配置文件数据
[英]asp.net azure active directory user profile data
问题描述
I'm working on a MVC application using Azure's AD authentication. 
我正在使用Azure的AD身份验证开发MVC应用程序。 I have been looking for a best practice or suggested way to 'extend' the user profile data. 我一直在寻找“扩展”用户个人资料数据的最佳实践或建议方法。 For example, I want the users to have a date of birth stored against themselves. 例如,我希望用户将自己的出生日期存储起来。
I have looked at this but it doesn't really answer my question: Active Directory User Data Storage 我已经看过了,但是并不能真正回答我的问题: Active Directory用户数据存储
I can't find anything else kinda close to the solution either, all other solutions are for the other type of authentication. 我也找不到与该解决方案非常接近的其他任何东西,所有其他解决方案都是针对另一种身份验证的。
One thing to note is the application only has read access to the AD, if that matters for what im asking. 需要注意的一件事是,应用程序仅具有对AD的读取访问权限,如果这对我所要询问的内容至关重要。 I hope to just create a User model which uses the User.Identity.GetUserId() (is this every going to change? if it does, what can I use that won't?). 我希望只创建一个使用User.Identity.GetUserId()的User模型(这是否每次都会更改?如果确实如此,那我将使用什么呢?)。
Thanks in advance! 提前致谢!
1 个解决方案
解决方案1
4 已采纳 2015-03-01 02:05:57
I have a couple of options to suggest here. 在这里我有两个建议。
Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. 选项1-您可以使用自己的应用程序配置文件存储区,以存储目录中不存在的属性的其他用户配置文件信息。 Basically when your app gets a user token (or a JWT token) for the signed in user, you'll get an objectId (oid) claim in the token. 基本上,当您的应用为登录的用户获取用户令牌(或JWT令牌)时,您将在令牌中获得objectId(oid)声明。 This is a unique id for the user (across ALL of Azure AD). 这是用户的唯一ID(在整个Azure AD中)。 You can use this as a key in your user profile store, and use this key to essentially link user info in AAD to user info in your app store. 您可以将其用作用户个人资料存储区中的密钥,并使用此密钥将AAD中的用户信息实质上链接到应用程序商店中的用户信息。
Option 2 - use directory schema extensions. 选项2-使用目录架构扩展。 Azure AD (via Graph API) allows your application to declare additional properties to extend a your customer's Azure AD schema. Azure AD(通过Graph API)允许您的应用程序声明其他属性以扩展客户的Azure AD架构。 Here you could extend the User entity with a new dateOfBirth property. 在这里,您可以使用新的dateOfBirth属性扩展User实体。 Customers (admins) of your (multi-tenant app) would need to consent to allow your app to write to their directory, which on consent, would extend their User entity schema with the extension properties your app declares. 您的(多租户应用程序)的客户(管理员)需要同意才能允许您的应用程序写入其目录,该目录经同意后,将使用您的应用程序声明的扩展属性来扩展其用户实体架构。 Your app (or in fact any app) can then read and write to this new extension property. 然后,您的应用程序(或实际上任何应用程序)都可以读取和写入此新的扩展程序属性。 NOTE: currently there is no special access control on these extension properties - if a user or app has permissions to read a User entity (in this case), they'll be able to read any extension properties declared by any applications - including yours. 注意:目前,这些扩展属性没有特殊的访问控制-如果用户或应用有权读取User实体(在这种情况下),则他们将能够读取任何应用程序(包括您的应用程序)声明的任何扩展属性。
For more information on directory extensions please see https://msdn.microsoft.com/en-us/library/azure/dn720459.aspx and http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-preview.aspx (despite what this blog post says, schema extensions is now GA in version 1.5 of the Graph API). 有关目录扩展的更多信息,请参阅https://msdn.microsoft.com/zh-cn/library/azure/dn720459.aspx和http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/ 06 / extend-azure-active-directory-schema-using-graph-api-preview.aspx (尽管此博客文章说,架构扩展现在是Graph API的1.5版中的GA)。 Directory schema extensions are also supported through the Graph Client Library, and you can see this in the console sample here on github: https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet . Graph Client Library也支持目录架构扩展,您可以在以下github上的控制台示例中看到它: https : //github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet 。
HTHs, HTHS,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.