[英]Authorize Azure App Service endpoints for different user groups
I have a simple Azure App Service that exposes two REST endpoints.我有一个简单的 Azure 应用服务,它公开了两个 REST 端点。 Is it possible to set up an authentication scheme so that each endpoint can only be accessed by a specific group of Azure AD users?
是否可以设置一个身份验证方案,以便每个端点只能由一组特定的 Azure AD 用户访问?
Endpoint A (HTTP/GET) <- Accessible by User Group A
Endpoint B (HTTP/POST) <- Accessible by User Group B
If not by configuration, is it possible to do this programmatically?如果不是通过配置,是否可以以编程方式执行此操作?
Thanks in advance.提前致谢。
The short answer: yes, that is possible.简短的回答:是的,这是可能的。
The longer answer: this is not something that can be done with a single configuration setting or one line of code.更长的答案:这不是通过单个配置设置或一行代码可以完成的。 The exact steps depend on the language you used to write the API.
具体步骤取决于您用于编写 API 的语言。
In general, you need to add AAD authentication to the application.一般情况下,您需要在应用程序中添加 AAD 身份验证。 Make sure the token you're getting from AAD includes security groups in its claims.
确保您从 AAD 获得的令牌在其声明中包含安全组。 Then, add authorization based on the security groups in those claims.
然后,根据这些声明中的安全组添加授权。
For ASP.NET, here's are two great articles:对于 ASP.NET,这里有两篇很棒的文章:
Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform 快速入门:使用 Microsoft 标识平台保护 ASP.NET 内核 web API
Add authorization using groups & group claims to an ASP.NET Core Web app that signs-in users with the Microsoft identity platform 使用组和组声明向使用 Microsoft 标识平台登录用户的 ASP.NET 核心 Web 应用程序添加授权
Interesting links:有趣的链接:
Microsoft Identity Platform 微软身份平台
Microsoft Authentication Library (MSAL) Microsoft 身份验证库 (MSAL)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.