我有一个asp.net mvc应用程序,我的代码基于这篇文章:http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
并在此示例代码上: https://github.com/dushyantgill/VipSwapper/tree/master/TrainingPoint
我为全局管理员创建了一个控制器
public class GlobalAdminController : Controller
{
// GET: GlobalAdmin
[AuthorizeUser(Roles = "admin")]
public ActionResult Index()
{
return View();
}
}
这是startup.cs
public void ConfigureAuth(IAppBuilder app)
{
// configure the authentication type & settings
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
// configure the OWIN OpenId Connect options
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = SettingsHelper.ClientId,
Authority = SettingsHelper.AzureADAuthority,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// we inject our own multitenant validation logic
ValidateIssuer = false,
// map the claimsPrincipal's roles to the roles claim
RoleClaimType = "roles",
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example) without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
//string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path);
context.ProtocolMessage.PostLogoutRedirectUri = new UrlHelper(HttpContext.Current.Request.RequestContext).Action("Index", "Home", null, HttpContext.Current.Request.Url.Scheme);
context.ProtocolMessage.Resource = SettingsHelper.GraphResourceId;
return Task.FromResult(0);
},
// when an auth code is received...
AuthorizationCodeReceived = (context) => {
// get the OpenID Connect code passed from Azure AD on successful auth
string code = context.Code;
// create the app credentials & get reference to the user
ClientCredential creds = new ClientCredential(SettingsHelper.ClientId, SettingsHelper.ClientSecret);
string userObjectId = context.AuthenticationTicket.Identity.FindFirst(System.IdentityModel.Claims.ClaimTypes.NameIdentifier).Value;
// use the ADAL to obtain access token & refresh token...
// save those in a persistent store...
EfAdalTokenCache sampleCache = new EfAdalTokenCache(userObjectId);
AuthenticationContext authContext = new AuthenticationContext(SettingsHelper.AzureADAuthority, sampleCache);
// obtain access token for the AzureAD graph
Uri redirectUri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult authResult = authContext.AcquireTokenByAuthorizationCode(code, redirectUri, creds, SettingsHelper.AzureAdGraphResourceId);
if (GraphUtil.IsUserAADAdmin(context.AuthenticationTicket.Identity))
context.AuthenticationTicket.Identity.AddClaim(new Claim("roles", "admin"));
// successful auth
return Task.FromResult(0);
},
AuthenticationFailed = (context) => {
context.HandleResponse();
return Task.FromResult(0);
}
}
});
}
}
如果我使用组织中的全局管理员中的用户登录,则此工作完全正常: http://screencast.com/t/jLVNWGN7MgZR
但是我创建了另一个组并将用户添加到该组: 该组称为公司管理员,用户公司称为@
组 http://screencast.com/t/Y6vueAxjRPo
小组成员 http://screencast.com/t/BBRUoOxaD
我创建了另一个控制器:
public class CompanyAdminController : Controller
{
[AuthorizeUser(Roles = "company admin")]
public ActionResult Index()
{
return View();
}
}
我的家庭索引控制器操作也有这个
public ActionResult Index()
{
if (User.IsInRole("admin"))
{
return RedirectToAction("Index", "GlobalAdmin");
}
if (User.IsInRole("company admin"))
{
return RedirectToAction("Index", "CompanyAdmin");
}
return View();
}
但是,对于公司管理员,User.IsInRole不会返回true。 http://screencast.com/t/msVfvUt1g
更新1
看起来该组确实正在返回索赔,它看起来像授权不正确的方式或我错过了一些代码。
答案 0 :(得分:2)
组是主体(用户,服务,组)的集合。而Azure AD中的应用程序角色代表应用程序的权限集合。用户的群组成员资格不会出现在角色声明中。应用程序将其角色声明为Azure AD(例如,管理员,读者,编写者)。当组织购买/部署应用程序时,该组织的管理员可以将组织中的用户/组/服务分配给应用程序的角色(例如john@contoso.com - > admin of app,project1team group - > writer应用程序,所有用户组 - >应用程序的读者)。然后,当用户登录应用程序时,Azure AD会发出角色声明并指定分配给用户的所有应用程序角色(直接分配或通过组)。更多详情:http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
因此,对于您的示例,您似乎需要创建一个名为company admin的应用角色,并允许您应用的客户将用户/群组分配给该角色。
希望有所帮助。
我很好奇,您是否正在创建一个有助于管理Azure AD身份的应用程序?
答案 1 :(得分:0)
由于bluefeet主持人和martij Pieters主持人删除了我的答案,所以答案中最重要的部分是在owin管道上
var groups = GraphUtil.GetMemberGroups(context.AuthenticationTicket.Identity).Result;
//For each group, we have its, ID, we need to get the display name, and then we have to add the claim
foreach(string groupid in groups)
{
var displayname=GraphUtil.LookupDisplayNameOfAADObject(groupid, context.AuthenticationTicket.Identity);
context.AuthenticationTicket.Identity.AddClaim(new Claim("roles", displayname));
}
但是,Stackoverflow不允许超过30,000个字符,答案大约是45,000个字符,所以对于读者来说,您可以到这里获得完整的解释: http://www.luisevalencia.com/2015/06/02/using-azure-aad-graph-office-365-add-in-with-groups-authorization/