在PHP中获取Azure AD用户角色
[英]Get Azure AD User Roles In PHP
问题描述
I have a small application I am writing in PHP where I need to check if a given user has a given role assigned to them. 
我有一个用PHP编写的小应用程序,需要检查给定用户是否具有分配给他们的角色。 I am using Azure App Service with app service authentication enabled to authenticate users against the azure active directory. 我正在使用启用了应用程序服务身份验证的Azure App Service,以针对蔚蓝活动目录对用户进行身份验证。 As part of the application I need to get the users username, display name, and if they are a member of one or more of three security groups which they could be a part of to define what access levels they have within the application. 作为应用程序的一部分,我需要获取用户的用户名,显示名称,并且如果他们是三个安全组中一个或多个的成员,则可以将其定义为他们在应用程序中具有的访问级别。
I need to do it this way as I can't have the roles managed within the application, instead it needs to be managed through active directory security groups. 我需要这样做,因为我无法在应用程序中管理角色,而是需要通过活动目录安全组进行管理。 I am seeking a method that is native to azure app service (as in ideally not doing a separate LDAP lookup if possible). 我正在寻找azure应用程序服务固有的方法(如可能,最好不要进行单独的LDAP查找)。 I know how to extract the authenticated username from the header data sent to the application ( HTTP_X_MS_CLIENT_PRINCIPAL_NAME ) however I don't know how I can get the full display name and how to check if a user has specific roles assigned to them. 我知道如何从发送到应用程序的头数据( HTTP_X_MS_CLIENT_PRINCIPAL_NAME )中提取经过身份验证的用户名,但是我不知道如何获取完整的显示名称以及如何检查用户是否具有分配给他们的特定角色。 I have already output a copy of the entire php $_SERVER super global array to see if the data I am seeking is in there but I can't find it in there. 我已经输出了整个php $_SERVER超级全局数组的副本,以查看我要查找的数据是否在其中,但我无法在其中找到它。
For the purposes of this question make the following assumptions... 为了这个问题的目的,进行以下假设...
user1@domain.com is assigned the roles role1, role2, role3 为user1@domain.com分配了角色role1,role2,role3
user2@domain.com is assigned the role role3 only 仅为user2@domain.com分配了角色role3
So if either user logs in I need to be able to show their full name based on their AD entry and need to be able to check if they are part of security groups role1 role2 and/or role3 . 因此,如果任何一个用户登录,我都需要能够根据其AD条目显示其全名,并且需要能够检查它们是否属于安全组role1 role2和/或role3 。
I would post an example of my code but I have no idea where to start with getting this data so the only code I have thus far is a test block to print all the $_SERVER values onto the page for testing purposes. 我将发布一个代码示例,但是我不知道从哪里开始获取这些数据,因此到目前为止,我唯一的代码是一个测试块,用于将所有$_SERVER值打印到页面上以进行测试。
Thanks 谢谢
1 个解决方案
解决方案1
0 已采纳 2017-02-08 06:13:28
Generally speaking, you can leverage Microsoft Graph REST APIs yo achieve your requirement. 一般来说,您可以利用Microsoft Graph REST API来满足您的要求。
First of all, you can follow https://graph.microsoft.io/en-us/docs/authorization/app_only to implement the functionality to acquire access token in app only way, then you can make a HTTP request of List memberOf to get groups and directory roles that the user is a direct member of. 首先,您可以按照https://graph.microsoft.io/en-us/docs/authorization/app_only实现仅以应用方式获取访问令牌的功能,然后可以发出List memberOf的HTTP请求以获取用户直接所属的组和目录角色。
The HTTP GET url should be like https://graph.microsoft.com/v1.0/users/{HTTP_X_MS_CLIENT_PRINCIPAL_NAME you get from header}/memberOf , and set the access token you get above in the authorization header. HTTP GET URL应该类似于https://graph.microsoft.com/v1.0/users/{HTTP_X_MS_CLIENT_PRINCIPAL_NAME you get from header}/memberOf ,并在authorization标头中设置您获得的访问令牌。
Furthermore, you can refer to https://github.com/Azure-Samples/active-directory-php-graphapi-directoryextensions-web/blob/master/AuthorizationHelperForGraph.php the sample for how acquire the access token in app only. 此外,您可以参考https://github.com/Azure-Samples/active-directory-php-graphapi-directoryextensions-web/blob/master/AuthorizationHelperForGraph.php示例,了解如何仅在应用程序中获取访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.