堆栈内存溢出
  简体   繁体   English

Azure AD 登录流程到 SPA 应用程序仅需要管理员批准才能首次登录

[英]Azure AD Login flow to SPA application require admin approval for first login only

 原文  2022-02-23 10:26:26       azure/ azure-active-directory/ azure-api-apps

问题描述

I have a SPA app registration in Azure AD and a react-based login flow using msal-react.我在公元 Azure 有一个 SPA 应用程序注册和一个使用 msal-react 的基于反应的登录流程。 Is it possible to make it so regular users are required to request access to the application only for the first login attempt to the app?是否有可能要求普通用户在首次尝试登录该应用程序时才请求访问该应用程序? After an admin approves it, it should no longer be needed to request it again.管理员批准后,不再需要再次请求。 The things I've tried are:我尝试过的事情是:

  • append prompt: "consent" to the login request - This works, but when the admin receives an email and approves the request, the user is asked to request it again, thus resulting in an infinite request->approve loop. append prompt: "consent"登录请求 - 这可行,但是当管理员收到 email 并批准请求时,用户会被要求再次请求,从而导致无限请求-> 批准循环。
  • I've enabled and configured Admin Content Requests under Enterprise Applications -> Manage -> User Settings我已经在企业应用程序下启用并配置了Admin Content Requests Enterprise Applications -> Manage -> User Settings
  • I have exposed an api from my WebAPI app that has value for Who can consent?我从我的 WebAPI 应用程序中公开了一个 api,它对Who can consent? - Admins Only ( not sure if this is correct). - Admins Only (不确定这是否正确)。 This permission is added to my SPA application and I have not granted admin consent for it ( again, not sure if this is the correct configuration for this )此权限已添加到我的 SPA 应用程序中,但我尚未授予管理员同意(同样,不确定这是否是正确的配置)

SPA API Permissions SPA API 权限

With the above configuration the user can freely login to the app without any "Request Admin Consent Request" popup visible at all.通过上述配置,用户可以自由登录应用程序,根本看不到任何“请求管理员同意请求”弹出窗口。

Is what I am trying to achieve possible at all?我想要实现的目标有可能吗? If yes, what I am missing in my configuration?如果是,我的配置中缺少什么? Any help would be much appreciated!任何帮助将非常感激! Thanks!谢谢!

EDIT #1 I've specified the api://id/Test.Read scope in the login request via msal-react编辑#1我已经通过 msal-react 在登录请求中指定了 api://id/Test.Read scope

1 个解决方案

解决方案1
 0 已采纳  2022-02-23 13:16:16

When an admin approves an admin consent request, they will usually grant consent on behalf of all users, not only on behalf of the user who requested access.当管理员批准管理员同意请求时,他们通常会代表所有用户授予同意,而不仅仅是代表请求访问权限的用户。

It sounds like you're looking for a strategy where each user needs to be approved (once) before they can use an app.听起来您正在寻找一种策略,每个用户在使用应用程序之前都需要获得批准(一次)。 This is more of a question of a user's authorization to access the app, rather than the app's authorization to access an API on behalf of a user (or a user's permission to grant that authorization).这更多的是用户访问应用程序的授权问题,而不是应用程序代表用户访问 API 的授权(或用户授予该授权的权限)。

You can consider the following option:您可以考虑以下选项:

  • Do not use prompt=consent (as a general rule, don't )不要使用prompt=consent (作为一般规则,不要
  • Request only the delegated permissions your app actually needs.仅请求您的应用实际需要的委派权限。 If the app doesn't need access to an API, just use scope=openid (or scope=openid profile , etc.)如果应用程序不需要访问 API,只需使用scope=openid (或scope=openid profile等)
  • Configure the application to require assignment (under the Azure portal > Azure AD > Enterprise apps > (app) > Properties > Assignment required?).将应用程序配置为需要分配(在 Azure 门户下 > Azure AD > 企业应用程序 > (app) > 属性 > 需要分配?)。
  • Grant admin consent for the app (on behalf of all users).授予该应用程序的管理员许可(代表所有用户)。

With the configuration above, you separate the authorization granted to the app (admin consent) from the authorization for users to access the app (assignment required).通过上述配置,您将授予应用程序的授权(管理员同意)与用户访问应用程序的授权(需要分配)分开。 Only users who have been assigned the app will be able to sign in to the app.只有分配了该应用程序的用户才能登录该应用程序。 You can choose who can assign the app to users by making them owner of the app under Enterprise apps (ie owner of the app's service principal), or by assigning the app to a group and letting whoever owns the group decide.您可以选择谁可以将应用程序分配给用户,方法是在企业应用程序下让他们成为应用程序的所有者(即应用程序服务主体的所有者),或者通过将应用程序分配给一个组并让拥有该组的人来决定。

The main downside of this approach is that there is currently no built-in "click here to request access" experience when a user tries to sign in to the app and they're not assigned.这种方法的主要缺点是,当前没有内置的“单击此处请求访问权限”体验,当用户尝试登录应用程序但未分配给他们时。

As part of this strategy, you may also be interested in using the self-service app access feature.作为此策略的一部分,您可能还对使用自助服务应用程序访问功能感兴趣。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Linux虚拟机需要Azure AD登录 - Require Azure AD Login on Linux VM Azure AD自定义登录页面 - Azure AD custom login page 在 Azure AD 中重新创建恶意登录 - Recreating Malicious login in Azure AD 是否可以自定义Azure AD登录报错信息? - Is it possible to customise Azure AD login error messages? 为 SAML 强制 Azure AD 登录提示 - Forcing Azure AD login prompt for SAML “未配置身份验证客户端 ID”,我正在使用 azure 为我的应用程序制作 Microsoft 登录页面的反应 SPA。我的错误是什么? - "Authentication Client ID is not configured", I am making a react SPA of a microsoft login page for my application using azure. What is my mistake? React Azure AD登录后跳转到首页 - Redirect to home page after React Azure AD login Azure 广告登录重定向 url 是 http 而不是 https - Azure Ad login redirect url is http instead of https Azure AD B2C 外部用户登录 - Azure AD B2C External User login State 由 OpenId connect 为 Azure AD 外部登录生成的太长 - State generated too long by OpenId connect for Azure AD external login
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM