堆栈内存溢出
  简体   繁体   English

如何配置用户对受Azure AD oAuth2保护的API的访问权限

[英]How to configure users access to an API protected with Azure AD oAuth2

 原文  2017-07-28 05:09:29       oauth-2.0/ active-directory/ azure-active-directory

问题描述

we have an existing "private/internal" API (non MS/Azure) that we would like to protect with oAuth2 provided by Azure AD, so, that the user's access to the API could be maintained by the Azure AD administrators. 我们有一个现有的“私有/内部” API(非MS / Azure),我们希望使用Azure AD提供的oAuth2进行保护,以便Azure AD管理员可以维护用户对该API的访问。

It seems like the way to do this is to configure the API as a web application in the Azure AD. 看来执行此操作的方法是将API配置为Azure AD中的Web应用程序。 Then, users can get the authorization token from the Azure oAuth2 server and send it to the api (eg from a single page web app). 然后,用户可以从Azure oAuth2服务器获取授权令牌并将其发送到api(例如,从单页Web应用程序)。

The API is expected to validate the scope, as per my understanding, received in the token and make a decision regarding the access. 根据我的理解,API有望验证令牌中收到的范围,并做出有关访问的决定。

But I can't figure out how to configure the API access scope in the Azure AD against a user. 但是我不知道如何针对用户在Azure AD中配置API访问范围。 Ie how to link a particular user and the API scope in Azure AD? 即如何在Azure AD中链接特定用户和API作用域?

Can someone pls advise? 有人可以建议吗?

Thank you. 谢谢。

1 个解决方案

解决方案1
 2 已采纳  2017-07-28 06:43:10

When you configure the app, you can enable "User assignment required" (in the Enterprise application Properties in the Azure Portal), and then configure which users or groups should have access. 配置应用程序时,可以启用“需要用户分配”(在Azure门户的企业应用程序属性中),然后配置哪些用户或组应具有访问权限。

Alternatively, if you need more granularity, you can use the Role based access, where you define roles in the application manifest ( https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles ), and then assign users to the different roles. 另外,如果您需要更多粒度,则可以使用基于角色的访问权限,在其中定义应用程序清单中的角色( https://docs.microsoft.com/zh-cn/azure/architecture/multitenant-identity/app-roles ),然后将用户分配给不同的角色。

The [Authorize] attributes on the API controllers or on actions in them can then be configured with the required roles to access them, like so: [Authorize(Roles = "Admin, Writer, Approver")] (any of the three named roles have access). 然后,可以使用所需的角色来配置API控制器或其上的操作上的[Authorize]属性,例如: [Authorize(Roles = "Admin, Writer, Approver")] (三个命名角色中的任何一个[Authorize(Roles = "Admin, Writer, Approver")]有访问权)。

There is a sample which demonstrates this. 有一个样本可以证明这一点。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 配置 pgadmin4 以使用 Azure AD Oauth2 - Configure pgadmin4 to use Azure AD Oauth2 如何为参数vs.体内配置Azure AD Oauth2令牌终结点? - How to configure Azure AD Oauth2 token endpoint for params vs. in-body? 如何使用node-adal和OWIN配置Azure AD OAuth2? - How to configure Azure AD OAuth2 using node-adal and OWIN? 如何配置 Azure AD Oauth2 在登录时返回所有用户组 - How to configure Azure AD Oauth2 to return all user groups on login 使用oauth2访问Azure AD上托管的API的Ruby脚本中的问题 - Issues in Ruby script using oauth2 to access API hosted on Azure AD 使用 Azure AD 验证 Azure API Management with OAuth2 - Authenticate Azure API Management with OAuth2 using Azure AD How to secure a Spring Boot app using Azure AD (oauth2) AND call Devops REST API (secured by Oauth2) - How to secure a Spring Boot app using Azure AD (oauth2) AND call Devops REST API (secured by Oauth2) 访问 OAuth2 API 的 Azure 函数 - Azure Function to Access OAuth2 API 从 Java 批处理应用程序访问受 OAuth2 保护的 api - Access OAuth2 Protected api from the Java Batch Application 使用Azure AD-App(OAuth2)访问Microsoft API - Access Microsoft APIs using Azure AD-App (OAuth2)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM