在Azure Active Directory B2C中按组授权 [英] Authorize By Group in Azure Active Directory B2C
问题描述
我试图弄清楚如何使用Azure Active Directory B2C中的组进行授权.我可以通过用户授权,例如:
[Authorize(Users="Bill")]
但是,这不是很有效,我看到的用例很少.另一种解决方案是通过角色授权.但是由于某种原因,这似乎不起作用.例如,如果我给用户提供角色"Global Admin",然后尝试执行此操作,则不起作用
[Authorize(Roles="Global Admin")]
是否可以通过组或角色进行授权?
这是可行的,但是您必须在身份验证逻辑中编写几行代码才能实现所需的功能.
首先,您必须在Azure AD(B2C)中区分Roles和Groups.
User Role非常具体,仅在Azure AD(B2C)本身内有效.角色定义用户在 Azure AD内部中拥有的权限.
Group(或Security Group)定义用户组成员身份,可以向外部应用程序公开.外部应用程序可以在安全组之上对基于角色的访问控制进行建模.是的,我知道这听起来可能有些混乱,但这就是事实.
因此,第一步是在Azure AD B2C中为Groups建模-您必须创建组并将用户手动分配给这些组.您可以在Azure门户( https://portal.azure.com/)中做到这一点:
然后,回到您的应用程序,您将不得不编写一些代码并询问此示例,以启发您如何获取用户组成员身份.最好在其中一个OpenID通知中执行此代码(即
最后,您可以对该功能进行投票 However, this is not very effective and I see very few use-cases for this. An alternate solution would be Authorizing via Role. However for some reason that does not seem to work. It does not work if I give a user the Role "Global Admin" for example, and try: Is there a way to authorize via Groups or Roles? This will work, however you have to write a couple of lines of code in your authentication logic in order to achieve what you're looking for. First of all, you have to distinguish between So, your first step is to model your Then, back to your application, you will have to code a bit and ask the Azure AD B2C Graph API for users memberships once the user is successfully authenticated. You can use this sample to get inspired on how to get users group memberships. It is best to execute this code in one of the OpenID Notifications (i.e. SecurityTokenValidated) and add users role to the ClaimsPrincipal. Once you change the ClaimsPrincipal to have Azure AD Security Groups and "Role Claim" values, you will be able to use the Authrize attribute with Roles feature. This is really 5-6 lines of code. Finally, you can give your vote for the feature here in order to get group membership claim without having to query Graph API for that. 这篇关于在Azure Active Directory B2C中按组授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋![Authorize(Roles="Global Admin")]
Roles and Groups in Azure AD (B2C). User Role is very specific and only valid within Azure AD (B2C) itself. The Role defines what permissions a user does have inside Azure AD .Group (or Security Group) defines user group membership, which can be exposed to the external applications. The external applications can model Role based access control on top of Security Groups. Yes, I know it may sound a bit confusing, but that's what it is.Groups in Azure AD B2C - you have to create the groups and manually assign users to those groups. You can do that in the Azure Portal (https://portal.azure.com/):
