Azure AD B2C 声明能否用于 .NET Core Web 应用程序中的授权目的?
[英]Can Azure AD B2C Claims be used for authorization purposes in a .NET Core Web App?
问题描述
When setting up Azure AD B2C authentication using the Microsoft Identity Platform there is an option to store and return custom claims for a user.
使用 Microsoft 身份平台设置 Azure AD B2C 身份验证时,可以选择为用户存储和返回自定义声明。 The question is specifically about when developing a .NET Core Web Application that uses an App Registration to log users in.该问题专门针对开发使用应用注册来登录用户的 .NET Core Web 应用程序。
EDIT: In this scenario, the web app does not call a downstream API - There is a single web app (MVC), the user authenticates against AAD B2C, they use the web app and the controllers on the back-end use an Authorize attribute编辑:在这种情况下,Web 应用程序不调用下游 API - 有一个 Web 应用程序 (MVC),用户针对 AAD B2C 进行身份验证,他们使用 Web 应用程序,后端的控制器使用 Authorize 属性
You can define a custom attribute "TeamId" and return that as a claim to the application that a user logs into - It will be in a claim called "extension_TeamId" in this case and available on the ClaimsPrincipal.您可以定义自定义属性“TeamId”并将其作为声明返回给用户登录的应用程序 - 在这种情况下,它将位于名为“extension_TeamId”的声明中,并且在 ClaimsPrincipal 上可用。
Is it safe to use the value in that claim to determine which tenant a user belongs to, or is it possible for that value to be spoofed by the user, making them appear to be within another tenant - I would class this as authorization information which Microsoft states you should never retrieve from an ID token, only an Access Token:使用该声明中的值来确定用户属于哪个租户是否安全,或者该值是否可能被用户欺骗,使他们看起来在另一个租户中 - 我会将其归类为授权信息Microsoft 声明您永远不应该从 ID 令牌中检索,而只能从访问令牌中检索:
ID tokens are issued by the authorization server and contain claims that carry information about the user.
https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
The alternative is to store the data in a table that links a user to a team, where the users B2C ID (Guid) is used to lookup their assigned team from the DB first, rather than taking it straight from their claims and looking up info about that team.另一种方法是将数据存储在将用户链接到团队的表中,其中用户 B2C ID (Guid) 用于首先从数据库中查找其分配的团队,而不是直接从他们的声明中获取并查找信息关于那支球队。
I may be getting confused between ID Tokens and Access Tokens and want to understand what the Microsoft Identity platform is returning in this case.我可能对 ID 令牌和访问令牌感到困惑,并想了解 Microsoft 身份平台在这种情况下返回的内容。 Is the token sent from the .NET Core Web Applications front-end to the backend an ID Token or Access Token?从 .NET Core Web 应用程序前端发送到后端的令牌是 ID 令牌还是访问令牌?
1 个解决方案
解决方案1
1 2022-06-30 14:04:53
The ID Token returned informs the receiving client application details about how the user authenticated and who he is.返回的 ID 令牌通知接收客户端应用程序有关用户如何进行身份验证以及他是谁的详细信息。 From the ID-token, the local "session/identity" is then created.然后根据 ID 令牌创建本地“会话/身份”。 The ID token is not meant to be passed around to other services and typically it has a very short lifetime. ID 令牌不打算传递给其他服务,通常它的生命周期很短。
The received access token is used by the receiving client to get access to APIs and resources.接收客户端使用接收到的访问令牌来访问 API 和资源。 The client application should not need to look inside the access token.客户端应用程序不需要查看访问令牌内部。
The claims in the ID-token (optionally with the claims from the UserInfo endpoint) ends up in the local user session and can be used to authorize various features in the client application. ID-token 中的声明(可选地与来自 UserInfo 端点的声明)在本地用户会话中结束,并可用于授权客户端应用程序中的各种功能。
So, yes claims from the provider can be used to authorize the users, but you need to understand the different use cases for the ID and access token.因此,是的,来自提供者的声明可用于授权用户,但您需要了解 ID 和访问令牌的不同用例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.