如何根据Azure AD组进行授权？

Question

Hi I am trying to implement Azure Groups based authorization in my .net core app.您好，我正在尝试在我的 .net 核心应用程序中实施基于 Azure 组的授权。 I have more groups like 100 to 200. I have added policies to add authorization.我有更多的组，比如 100 到 200。我已经添加了策略来添加授权。

services.AddAuthorization(options =>
            {   
                options.AddPolicy("GroupsCheck", policy =>
                {
                    policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
                    policy.RequireAuthenticatedUser();
                    policy.Requirements.Add(new GroupsCheckRequirement("11b250bf-76c0-4efe-99f2-2d781bae43bb")); //currently hard coded but want to include all the groups returned from MS graph
                });
            });

Then然后

 GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
 var groupList = await client.Users[userId].TransitiveMemberOf.Request().GetAsync();

This will return more than 100 groups.这将返回 100 多个组。 Now in policy I want to include all these groups.现在在政策中我想包括所有这些群体。 Is hard coding in config file all the groups will better way?在配置文件中对所有组进行硬编码会更好吗？ Also my JWT token has only hasgroups:true rather than group ids.此外，我的 JWT 令牌只有 hasgroups:true 而不是组 ID。 So how can I authorize based on groups?那么如何基于组进行授权呢？ can someone help me to find good way?有人可以帮我找到好方法吗？ thanks谢谢

Answer 1

According to my test, if you just want to use groups based authorization, please refer to the following code:根据我的测试，如果你只想使用groups based authorization，请参考下面的代码：

change Startup.cs更改 Startup.cs

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
      .AddAzureAD(options => configuration.Bind(configSectionName, options));
  services.Configure<AzureADOptions>(options => configuration.Bind(configSectionName, options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
options.Authority = options.Authority + "/v2.0/";
options.TokenValidationParameters.NameClaimType = "preferred_username";
 // Use the groups claim for populating roles
              options.TokenValidationParameters.RoleClaimType = "groups";
});
 services.AddMvc(options =>
      {
          var policy = new AuthorizationPolicyBuilder()
              .RequireAuthenticatedUser()
              .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
            })
        .SetCompatibilityVersion(CompatibilityVersion.Latest);

Add the following code in the controller or method在controller或方法中添加如下代码

if(User.Identity.IsAuthenticated){
   if (User.IsInRole("<group id>"))
            {
                 // do other action

            }
            else if (User?.FindFirst("_claim_names")?.Value != null)
            {

                /* call Graph API to check if the user is in the group

                     for example
                     GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var memberOfGroups= await client.Me.TransitiveMemberOf.Request().GetAsync();


                    do
                    {
                        bool breakLoops = false;

                        foreach (var directoryObject in memberOfGroups.CurrentPage)
                        {
                            if (directoryObject is Group)
                            {
                                Group group = directoryObject as Group;
                                if (group.Id == "<group id>") {

                                    breakLoops = true;
                                    break;

                                }

                            }
                        }
                        if (breakLoops)
                        {
                            break;
                        }
                        if (memberOfGroups.NextPageRequest != null)
                        {
                            memberOfGroups = await memberOfGroups.NextPageRequest.GetAsync();
                        }
                        else
                        {
                            memberOfGroups = null;
                        }
                    } while (memberOfGroups != null);

               */


            }
            else {

                // do not have enough permissions
            }

}

For more details, please refer to the sample更多详情，请参考样本

Answer 2

I'm working on a blazor server application and have been struggling with exactly this issue so I thought I'd post my solution here:) In the AuthorizationPolicyBuilder , call the .RequireClaim() method and specify the string "groups" and the ObjectId of your security group.我正在处理blazor服务器应用程序并且一直在努力解决这个问题所以我想我会在这里发布我的解决方案:)在AuthorizationPolicyBuilder中，调用.RequireClaim()方法并指定字符串"groups"和ObjectId您的安全组。

Before this works though, you have to go into your不过，在此之前，您必须先将 go 输入您的

Azure portal -> Azure Ad -> app registrations -> token configurations -> add groups claim. Azure 门户 -> Azure 广告 -> 应用注册 -> 令牌配置 -> 添加组声明。

Make sure you check off the checkbox in Security Groups and the Group ID checkbox in { ID, Access, SAML }确保选中安全组中的复选框和{ ID, Access, SAML }中的组 ID 复选框

I don't know if this is best practice, but it worked for me:)我不知道这是否是最佳做法，但它对我有用:)

Here's the code from Startup.cs这是 Startup.cs 中的代码

public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.AddControllersWithViews(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .RequireClaim("groups", "<insert object id for group>")
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });

    }

如何根据Azure AD组进行授权？

问题描述

2 个解决方案

解决方案1
2 已采纳 2020-02-05 02:13:48

解决方案2
2 2020-03-27 10:06:50

如何根据Azure AD组进行授权？

问题描述

2 个解决方案

解决方案1 2 已采纳 2020-02-05 02:13:48

解决方案2 2 2020-03-27 10:06:50

解决方案1
2 已采纳 2020-02-05 02:13:48

解决方案2
2 2020-03-27 10:06:50