Web API中具有令牌的Azure AD和基于组的授权

Question

In my Azure AD I have user and group. 在我的Azure AD中，我有用户和组。 I want to give an access to users according to a group the belong to. 我想根据所属的组为用户提供访问权限。

I successfully implement it in ASP.NET MVC application. 我在ASP.NET MVC应用程序中成功实现了它。 How I set up group claims: 我如何设置团体索赔：

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
        .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

    services.AddSpaStaticFiles(c => { c.RootPath = "ClientApp/dist";});

     services.AddAuthorization(options =>
    {
        options.AddPolicy("Admins",
            policyBuilder =>
            {
                policyBuilder.RequireClaim("groups",
                    Configuration.GetValue<string>("AzureSecurityGroup:AdminObjectId"));
            });
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("Employees",
            policyBuilder =>
            {
                policyBuilder.RequireClaim("groups",
                    Configuration.GetValue<string>("AzureSecurityGroup:EmployeeObjectId"));
            });
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("Managers",
            policyBuilder => policyBuilder.RequireClaim("groups", Configuration.GetValue<string>("AzureSecurityGroup:ManagerObjectId")));
    });

    services.Configure<AzureADOptions>(Configuration.GetSection("AzureAd"));
}

And if I want to restrict access for non-admin user to Contacts page I do this: 如果我想限制非管理员用户对“联系人”页面的访问，请执行以下操作：

public class HomeController : Controller
{
    [Authorize(Policy = "Admins")]
    public IActionResult Contact()
    {
        ViewData["Message"] = "Your contact page.";

        return View();
    }
}

It works Now the idea is to create an web api controller and restrict access to some of the method. 它可以正常工作现在的想法是创建一个Web api控制器并限制对某些方法的访问。

//[Authorize]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
    // GET api/values
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        return new string[] {"value1", "value2"};
    }

    // GET api/values/5
    [Authorize(Policy = "Admins")]
    [HttpGet("{id}")]
    public ActionResult<string> Get(int id)
    {
        return "value";
    }
}

I use postman. 我用邮递员。 I get an access token: 我得到一个访问令牌：

POST https://login.microsoftonline.com/ {tenant_id}/oauth2/token POST https://login.microsoftonline.com/ {tenant_id} / oauth2 / token

then send 然后发送

GET https://localhost/api/values/1 获取https：// localhost / api / values / 1

with header Authorization and value Bearer {token} but get Unauthorized access (401). 具有标头Authorization和值Bearer {token}，但获得未经授权的访问（401）。 (Unprotected https://localhost/api/values works as expected though). （但不受保护的https：// localhost / api / values可以正常工作）。 I suspect that I pass wrong token, I check it on https://jwt.io/ and it does not contain information about a group the user belongs to. 我怀疑传递了错误的令牌，我在https://jwt.io/上对其进行了检查，它不包含有关用户所属组的信息。 Should I configure it in the code another way? 是否应该以其他方式在代码中进行配置？ Thanks 谢谢

Update 1 (decoded token): 更新1（已解码令牌）：

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
  "kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"
}.{
  "aud": "00000002-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/xxxxxxxx-1835-453d-a552-28feda08393e/",
  "iat": 1544770435,
  "nbf": 1544770435,
  "exp": 1544774335,
  "aio": "42RgYPjkVuw2Z/fJtp+RF/mUp7Z5AQA=",
  "appid": "963418bb-8a31-4c47-bc91-56b6e51181dc",
  "appidacr": "1",
  "idp": "https://sts.windows.net/xxxxxxxx-1835-453d-a552-28feda08393e/",
  "oid": "0dfb0f07-b6e1-4318-ba33-066e1fc3c0ac",
  "sub": "0dfb0f07-b6e1-4318-ba33-066e1fc3c0ac",
  "tenant_region_scope": "EU",
  "tid": "xxxxxxxx-1835-453d-a552-28feda08393e",
  "uti": "cxlefO0ABkimo2z-7L0IAA",
  "ver": "1.0"
}.[Signature]

Answer 1

When using grant_type is client_credentials , that means you are using the client credentials flow to acquire access token for accessing the resource : 当使用grant_type为client_credentials ，这意味着您正在使用客户机凭证流来获取用于访问资源的访问令牌：

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow

The OAuth 2.0 Client Credentials Grant Flow permits a web service (confidential client) to use its own credentials instead of impersonating a user, to authenticate when calling another web service. OAuth 2.0客户端凭据授予流程允许Web服务（机密客户端）使用自己的凭据而不是模拟用户，从而在调用另一个Web服务时进行身份验证。 In this scenario, the client is typically a middle-tier web service, a daemon service, or web site. 在这种情况下，客户端通常是中间层Web服务，守护程序服务或网站。

In this scenario , the client use its own credentials instead of impersonating a user , no user information/identity is included in this scenario. 在这种情况下，客户端使用自己的凭据而不是模拟用户，在这种情况下不包括用户信息/身份。 You should use Code Grant Flow to authorize access to web applications and web APIs using user's identity : 您应该使用代码授予流来使用用户身份授权对Web应用程序和Web API的访问：

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

Web API中具有令牌的Azure AD和基于组的授权

问题描述

1 个解决方案

解决方案1
1 2018-12-14 08:01:35

Web API中具有令牌的Azure AD和基于组的授权

问题描述

1 个解决方案

解决方案1 1 2018-12-14 08:01:35

解决方案1
1 2018-12-14 08:01:35