[英]How to do Authorization based on Azure AD groups?
您好,我正在嘗試在我的 .net 核心應用程序中實施基於 Azure 組的授權。 我有更多的組,比如 100 到 200。我已經添加了策略來添加授權。
services.AddAuthorization(options =>
{
options.AddPolicy("GroupsCheck", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new GroupsCheckRequirement("11b250bf-76c0-4efe-99f2-2d781bae43bb")); //currently hard coded but want to include all the groups returned from MS graph
});
});
然后
GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var groupList = await client.Users[userId].TransitiveMemberOf.Request().GetAsync();
這將返回 100 多個組。 現在在政策中我想包括所有這些群體。 在配置文件中對所有組進行硬編碼會更好嗎? 此外,我的 JWT 令牌只有 hasgroups:true 而不是組 ID。 那么如何基於組進行授權呢? 有人可以幫我找到好方法嗎? 謝謝
根據我的測試,如果你只想使用groups based authorization,請參考下面的代碼:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => configuration.Bind(configSectionName, options));
services.Configure<AzureADOptions>(options => configuration.Bind(configSectionName, options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority = options.Authority + "/v2.0/";
options.TokenValidationParameters.NameClaimType = "preferred_username";
// Use the groups claim for populating roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Latest);
if(User.Identity.IsAuthenticated){
if (User.IsInRole("<group id>"))
{
// do other action
}
else if (User?.FindFirst("_claim_names")?.Value != null)
{
/* call Graph API to check if the user is in the group
for example
GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var memberOfGroups= await client.Me.TransitiveMemberOf.Request().GetAsync();
do
{
bool breakLoops = false;
foreach (var directoryObject in memberOfGroups.CurrentPage)
{
if (directoryObject is Group)
{
Group group = directoryObject as Group;
if (group.Id == "<group id>") {
breakLoops = true;
break;
}
}
}
if (breakLoops)
{
break;
}
if (memberOfGroups.NextPageRequest != null)
{
memberOfGroups = await memberOfGroups.NextPageRequest.GetAsync();
}
else
{
memberOfGroups = null;
}
} while (memberOfGroups != null);
*/
}
else {
// do not have enough permissions
}
}
更多詳情,請參考樣本
我正在處理blazor服務器應用程序並且一直在努力解決這個問題所以我想我會在這里發布我的解決方案:)在AuthorizationPolicyBuilder中,調用.RequireClaim()方法並指定字符串"groups"和ObjectId您的安全組。
不過,在此之前,您必須先將 go 輸入您的
Azure 門戶 -> Azure 廣告 -> 應用注冊 -> 令牌配置 -> 添加組聲明。
確保選中安全組中的復選框和{ ID, Access, SAML }中的組 ID 復選框
我不知道這是否是最佳做法,但它對我有用:)
這是 Startup.cs 中的代碼
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("groups", "<insert object id for group>")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
}
如何在 .Net 核心 Web API 中進行 Azure AD 組授權?
[英]How to do Azure AD groups authorization in .Net core web API?
如何使用 C# WEBAPI(基於令牌).netcore 進行身份驗證和授權 Azure AD 應用程序
[英]How to do Authentication & Authorization Azure AD App, using C# WEBAPI (token based) .netcore
.Net Core Azure AD Cloud 如何登錄用戶並訪問他們的 Azure AD 安全組以確定他們是否在一個組中
[英].Net Core Azure AD Cloud how to get logged in user and access their Azure AD Security Groups to determine if they are in a group
如何在 AspNet Core 3 中將 Azure AD 身份驗證與基於 SQL 的角色管理結合使用?
[英]How do I use Azure AD authentication with SQL based role management in AspNet Core 3?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.