stackoom
  简体   繁体   中英

Get Azure AD User Roles In PHP

 原文  2017-02-07 09:31:00       php/ azure/ authentication/ active-directory

Question

I have a small application I am writing in PHP where I need to check if a given user has a given role assigned to them. I am using Azure App Service with app service authentication enabled to authenticate users against the azure active directory. As part of the application I need to get the users username, display name, and if they are a member of one or more of three security groups which they could be a part of to define what access levels they have within the application.

I need to do it this way as I can't have the roles managed within the application, instead it needs to be managed through active directory security groups. I am seeking a method that is native to azure app service (as in ideally not doing a separate LDAP lookup if possible). I know how to extract the authenticated username from the header data sent to the application ( HTTP_X_MS_CLIENT_PRINCIPAL_NAME ) however I don't know how I can get the full display name and how to check if a user has specific roles assigned to them. I have already output a copy of the entire php $_SERVER super global array to see if the data I am seeking is in there but I can't find it in there.

For the purposes of this question make the following assumptions...

user1@domain.com is assigned the roles role1, role2, role3
user2@domain.com is assigned the role role3 only

So if either user logs in I need to be able to show their full name based on their AD entry and need to be able to check if they are part of security groups role1 role2 and/or role3 .

I would post an example of my code but I have no idea where to start with getting this data so the only code I have thus far is a test block to print all the $_SERVER values onto the page for testing purposes.

Thanks

1 answers

solution1
 0 ACCPTED  2017-02-08 06:13:28

Generally speaking, you can leverage Microsoft Graph REST APIs yo achieve your requirement.

First of all, you can follow https://graph.microsoft.io/en-us/docs/authorization/app_only to implement the functionality to acquire access token in app only way, then you can make a HTTP request of List memberOf to get groups and directory roles that the user is a direct member of.

The HTTP GET url should be like https://graph.microsoft.com/v1.0/users/{HTTP_X_MS_CLIENT_PRINCIPAL_NAME you get from header}/memberOf , and set the access token you get above in the authorization header.

Furthermore, you can refer to https://github.com/Azure-Samples/active-directory-php-graphapi-directoryextensions-web/blob/master/AuthorizationHelperForGraph.php the sample for how acquire the access token in app only.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Get the user role from Azure AD by Laravel azure ad oauth Get assigned roles in Azure Web App with PHP PHP Api for Azure AD tenant/User Count get azure ad login username in php How to get Azure AD access token for already logged in user? Various roles for one user in PHP Is possible get the user logged in a WinServer AD with PHP ldap? PHP - is there any way to get client user name (AD) PHP Azure OAuth JWT App Roles Adding user password to an AD with PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM