使用JWT检索Azure AD组信息 [英] Retrieving Azure AD Group information with JWT

问题描述

我有需要Azure AD承载身份验证的API.

I have APIs that require Azure AD bearer authentication.

public void ConfigureAuth(IAppBuilder app)
{
   app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
         // ...
      });
}

然后可以查询Azure AD(也许使用Graph API)以确定主叫用户的组信息吗?最终目标是将基于角色的安全性应用于API方法/控制器，如下所示(或类似方法).

Is it then possible to query Azure AD - perhaps using the Graph API - to determine the group information of the calling user? The end goal here is to apply role-based security to the API methods/controllers, as below (or similar).

[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]

另外，身份信息如何以及在何处应用于执行线程?

Additionally, how and where is the identity information applied to the executing thread?

推荐答案

从最近开始，您可以使用角色声明和/或组声明来做到这一点.如果您的Web API受载体身份验证保护(例如此处的示例) ，您可以配置API，以便访问令牌包含组和/或角色声明.

As of recently, you can use Role Claims and/or Group Claims to do so. If you have a web API protected with bearer authentication (like in the sample here), you can configure the API so that access tokens contain Group and/or Role claims.

OWIN中间件将读取JWT承载令牌中的声明，并在System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler(

The OWIN middleware will read the claims in the JWT bearer token and populate the ClaimsIdentity with appropriate claims, in the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler (source).

要配置您的API以接收组声明，您需要使用"All"或"SecurityGroups"(分别包括或不包括分发列表)的值来编辑应用程序清单的"groupMembershipClaims"属性，如此示例，该示例使用Group Claims使用标签.

To configure your API to receive Group Claims, you need to edit the "groupMembershipClaims" property of the application manifest with a value of "All" or "SecurityGroups" (distribution lists included or excluded, respectively) as shown in this sample, which uses Group Claims to apply role-based security to a web app using the [Authorize] tag.

要配置您的API以接收角色声明，还需要编辑清单，在"appRoles"属性中定义应用程序角色，如"roles"，因此您需要将RoleClaimType设置为:

To configure your API to receive Role Claims, you also need to edit the manifest, defining Application Roles in the "appRoles" property as shown in this sample (link not yet active - it will be in the next few days), which uses Role Claims to do the same. Once you have defined Application Roles, you can assign users and groups to those roles in the Azure Portal or via the GraphAPI. Note because the claims emitted by AAD are of type "roles", you will need to set the RoleClaimType as:

new WindowsAzureActiveDirectoryBearerAuthenticationOptions  
{  
   ...
   TokenValidationParameters = new TokenValidationParameters {  
       RoleClaimType = "roles",  
   },  
   ...  
}

这篇关于使用JWT检索Azure AD组信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！