在我的Azure AD中,我有用户和组。我想根据所属的组为用户提供访问权限。
我在ASP.NET MVC应用程序中成功实现了它。 我如何设置团体声明:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSpaStaticFiles(c => { c.RootPath = "ClientApp/dist";});
services.AddAuthorization(options =>
{
options.AddPolicy("Admins",
policyBuilder =>
{
policyBuilder.RequireClaim("groups",
Configuration.GetValue<string>("AzureSecurityGroup:AdminObjectId"));
});
});
services.AddAuthorization(options =>
{
options.AddPolicy("Employees",
policyBuilder =>
{
policyBuilder.RequireClaim("groups",
Configuration.GetValue<string>("AzureSecurityGroup:EmployeeObjectId"));
});
});
services.AddAuthorization(options =>
{
options.AddPolicy("Managers",
policyBuilder => policyBuilder.RequireClaim("groups", Configuration.GetValue<string>("AzureSecurityGroup:ManagerObjectId")));
});
services.Configure<AzureADOptions>(Configuration.GetSection("AzureAd"));
}
如果我想限制非管理员用户对“联系人”页面的访问,请执行以下操作:
public class HomeController : Controller
{
[Authorize(Policy = "Admins")]
public IActionResult Contact()
{
ViewData["Message"] = "Your contact page.";
return View();
}
}
有效 现在的想法是创建一个Web API控制器并限制对某些方法的访问。
//[Authorize]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
// GET api/values
[HttpGet]
public ActionResult<IEnumerable<string>> Get()
{
return new string[] {"value1", "value2"};
}
// GET api/values/5
[Authorize(Policy = "Admins")]
[HttpGet("{id}")]
public ActionResult<string> Get(int id)
{
return "value";
}
}
我用邮递员。我得到一个访问令牌:
POST https://login.microsoftonline.com/ {tenant_id} / oauth2 / token
然后发送
标题为 Authorization (标题为授权),值为 Bearer {token} 但获得未授权访问(401)。 (尽管不受保护的https://localhost/api/values可以正常工作)。我怀疑我传递了错误的令牌,我在https://jwt.io/上对其进行了检查,它不包含有关用户所属组的信息。是否应该以其他方式在代码中进行配置?谢谢
更新1(已解码令牌):
{
"typ": "JWT",
"alg": "RS256",
"x5t": "nbCwW11w3XkB-xUaXwKRSLjMHGQ",
"kid": "nbCwW11w3XkB-xUaXwKRSLjMHGQ"
}.{
"aud": "00000002-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/xxxxxxxx-1835-453d-a552-28feda08393e/",
"iat": 1544770435,
"nbf": 1544770435,
"exp": 1544774335,
"aio": "42RgYPjkVuw2Z/fJtp+RF/mUp7Z5AQA=",
"appid": "963418bb-8a31-4c47-bc91-56b6e51181dc",
"appidacr": "1",
"idp": "https://sts.windows.net/xxxxxxxx-1835-453d-a552-28feda08393e/",
"oid": "0dfb0f07-b6e1-4318-ba33-066e1fc3c0ac",
"sub": "0dfb0f07-b6e1-4318-ba33-066e1fc3c0ac",
"tenant_region_scope": "EU",
"tid": "xxxxxxxx-1835-453d-a552-28feda08393e",
"uti": "cxlefO0ABkimo2z-7L0IAA",
"ver": "1.0"
}.[Signature]
答案 0 :(得分:1)
当使用grant_type为client_credentials时,这意味着您正在使用客户端凭据流来获取用于访问资源的访问令牌:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
OAuth 2.0客户端凭据授予流程允许Web服务(机密客户端)使用自己的凭据而不是模拟用户,从而在调用另一个Web服务时进行身份验证。在这种情况下,客户端通常是中间层Web服务,守护程序服务或网站。
在这种情况下,客户端使用其自己的凭据而不是模拟用户,在这种情况下不包括用户信息/身份。您应该使用代码授权流程使用用户身份授权对Web应用程序和Web API的访问:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code