将存储在数据库中的用户配置文件链接到Azure Active Directory帐户
[英]Link user's profile stored in DB to Azure Active Directory account
问题描述
We use Azure Active Directory(OpenId and OAuth2) for authorization and authentication needs. 
我们将Azure Active Directory(OpenId和OAuth2)用于授权和身份验证需求。 We also would like to keep users' profiles in one of our microservices, let's name this service "User Preferences". 我们还希望将用户的个人资料保存在我们的微服务之一中,我们将该服务命名为“用户首选项”。 The service will store many specific fields required only for one of our products and it is why we don't want to store them in Active Directory(custom fields). 该服务将存储许多仅一种产品所需的特定字段,这就是为什么我们不想将它们存储在Active Directory(自定义字段)中的原因。
Having all of this, we are searching for the best Azure AD field we can use to connect user's profile to Active Directory account. 有了所有这些,我们正在寻找最佳的Azure AD字段,可用于将用户的配置文件连接到Active Directory帐户。
There're several candidates: 有几个候选人:
- UPN - in some cases JWT doesn't contain it UPN-在某些情况下,JWT不包含它
- ObjectId - always available, but not read-friendly and unique in multi tenant structure ObjectId-始终可用,但不可读且在多租户结构中是唯一的
- Unique Name - should be used only to display it on UI(recommended by Azure) 唯一名称-应该仅用于在UI上显示它(Azure推荐)
Could you please recommend the best field for our case? 您能为我们的案例推荐最佳领域吗?
1 个解决方案
解决方案1
1 已采纳 2018-12-21 20:42:48
Compiling my comments as an answer: 整理我的评论作为答案:
Object id or name identifier (sub claim) are the only immutable fields you can choose from. 您只能选择对象ID或名称标识符(子声明)。 Using the UPN is dangerous as it can be changed. 使用UPN是危险的,因为可以对其进行更改。
Object id is unique across directories, though if you support multiple tenants you should store the tenant id (tid) as well. 对象ID在目录中是唯一的,但是如果您支持多个租户,则还应该存储租户ID(tid)。
UPN can change when an admin changes it. UPN可以在管理员更改时更改。
And also, if a user is invited as a guest to other AAD tenants, they'll have an object id per directory, it won't be the same. 而且,如果邀请一个用户作为访客来邀请其他AAD租户,则他们在每个目录中都有一个对象ID,那就不一样了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.