通过SPA + Web API中的MSAL检查Azure Active Directory组成员身份 [英] Checking Azure Active Directory group membership via MSAL in a SPA + Web APIs
问题描述
我正在构建一个具有前端(使用Vue.js构建的SPA)的应用程序,该前端与后端(托管在Azure中)的几个基于json的Web API接口. Web API需要通过Azure Active Directory保护,并且用户必须是安全组的成员.此外,如果SPA未以一个帐户登录(即只是自动重定向),则SPA应该只是试图强迫用户登录一个已批准的帐户.
I am building an application which has a front-end (a SPA built with Vue.js) which interfaces to a couple json-based Web APIs in the back end (hosted in Azure). The Web APIs need to be secured via Azure Active Directory and users must be a member of a security group. Furthermore, the SPA should simply try to force the user to sign into an approved account if they are not signed in as one (i.e. just auto-redirect).
我实际上已经完成了所有这些工作. AAD应用程序具有Group.Read.All,用户通过SPA登录并表示同意,并且SPA调用getMemberGroups.此外,Web API可以检查SPA提供的访问令牌,不幸的是,Web API也必须调用getMemberGroups.
I actually have all this working. The AAD application has Group.Read.All, the user signs in via the SPA and gives consent, and the SPA calls getMemberGroups. Furthermore, the Web APIs can check the SPA-provided access token, and the Web APIs unfortunately must also call getMemberGroups.
我认为这是我的关注. Web API一直必须调用getMemberGroups来将其锁定.如果我对服务进行了身份验证,则可能只有在验证了成员资格组之后才可能返回访问令牌.但是后来我失去了SPA中的简单MSAL登录模型-Web API实际上并不提供任何前端,SPA是静态托管的.
And I think that is my concern. The Web APIs keep having to call getMemberGroups to lock it down. If I did the auth on the service, I could potentially only return an access token once membership groups has been verified. But then I lose the easy MSAL sign-in model in the SPA - the Web APIs don't actually provide any front end, the SPA is statically hosted.
据我所知,我无法让Azure Active Directory创建保证其中包含某些组声明的令牌.我认为这可以解决我的问题.
As far as I can tell, I cannot get Azure Active Directory to create a token guaranteed to have certain group claims in it. I think this would solve my problem.
有人可以就围绕SPA + Web API环境设计身份验证模型的最佳方法提供一些建议吗?还是我采取的唯一方法?
Can somebody offer some advice on the best way to design an auth model around a SPA + Web API environment? Or is the method I have taken the only way to do it?
谢谢!
推荐答案
You can include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
然后令牌将包含使用所属的组的ID,如下所示:
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}
您还可以利用角色"和组"来控制对应用程序的访问.您可以定义一些应用程序角色,并将角色分配给组.然后,该组中的用户将具有以下声明:
You can also leverage Role along with Groups to control access of your application. You can define some applciation roles and assign the roles to the groups. Then the users in the group will have the claim like below:
{
"roles": ["admin"]
}
然后,您可以根据用户的角色实施授权逻辑.
Then you can implement your authorization logic based on the roles of the user.
请参阅 https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps 和
Refer to https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps and https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps for more details
这篇关于通过SPA + Web API中的MSAL检查Azure Active Directory组成员身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
