[英]How to do Azure AD groups authorization in .Net core web API?
[英]How to do Authorization based on Azure AD groups?
您好,我正在嘗試在我的 .net 核心應用程序中實施基於 Azure 組的授權。 我有更多的組,比如 100 到 200。我已經添加了策略來添加授權。
services.AddAuthorization(options =>
{
options.AddPolicy("GroupsCheck", policy =>
{
policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new GroupsCheckRequirement("11b250bf-76c0-4efe-99f2-2d781bae43bb")); //currently hard coded but want to include all the groups returned from MS graph
});
});
然后
GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var groupList = await client.Users[userId].TransitiveMemberOf.Request().GetAsync();
這將返回 100 多個組。 現在在政策中我想包括所有這些群體。 在配置文件中對所有組進行硬編碼會更好嗎? 此外,我的 JWT 令牌只有 hasgroups:true 而不是組 ID。 那么如何基於組進行授權呢? 有人可以幫我找到好方法嗎? 謝謝
根據我的測試,如果你只想使用groups based authorization,請參考下面的代碼:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => configuration.Bind(configSectionName, options));
services.Configure<AzureADOptions>(options => configuration.Bind(configSectionName, options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Authority = options.Authority + "/v2.0/";
options.TokenValidationParameters.NameClaimType = "preferred_username";
// Use the groups claim for populating roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Latest);
if(User.Identity.IsAuthenticated){
if (User.IsInRole("<group id>"))
{
// do other action
}
else if (User?.FindFirst("_claim_names")?.Value != null)
{
/* call Graph API to check if the user is in the group
for example
GraphServiceClient client = await MicrosoftGraphClient.GetGraphServiceClient();
var memberOfGroups= await client.Me.TransitiveMemberOf.Request().GetAsync();
do
{
bool breakLoops = false;
foreach (var directoryObject in memberOfGroups.CurrentPage)
{
if (directoryObject is Group)
{
Group group = directoryObject as Group;
if (group.Id == "<group id>") {
breakLoops = true;
break;
}
}
}
if (breakLoops)
{
break;
}
if (memberOfGroups.NextPageRequest != null)
{
memberOfGroups = await memberOfGroups.NextPageRequest.GetAsync();
}
else
{
memberOfGroups = null;
}
} while (memberOfGroups != null);
*/
}
else {
// do not have enough permissions
}
}
更多詳情,請參考樣本
我正在處理blazor
服務器應用程序並且一直在努力解決這個問題所以我想我會在這里發布我的解決方案:)在AuthorizationPolicyBuilder
中,調用.RequireClaim()
方法並指定字符串"groups"
和ObjectId
您的安全組。
不過,在此之前,您必須先將 go 輸入您的
Azure 門戶 -> Azure 廣告 -> 應用注冊 -> 令牌配置 -> 添加組聲明。
確保選中安全組中的復選框和{ ID, Access, SAML }
中的組 ID 復選框
我不知道這是否是最佳做法,但它對我有用:)
這是 Startup.cs 中的代碼
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim("groups", "<insert object id for group>")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.