通过@ azure/msal-angular库在angular 8中获取azure广告用户组 [英] Get azure ad user group by @azure/msal-angular library in angular 8

问题描述

我正在使用 @ azure/msal-angular .使用loginRedirect()重定向到Microsoft登录页面，我得到带有access_token和组ID的响应.但是我需要组详细信息以在我的应用程序中实现访问控制.是否需要任何额外的配置设置来获取组的详细信息.

I am using @azure/msal-angular. Using loginRedirect() to redirect to microsoft login page and i am getting the response with access_token and group IDs. But i need group details to implement access control in my application. Is there any extra config setting required to get the group details.

我的配置:

MsalModule.forRoot({
  clientID: <clientId>,
  authority: `https://login.microsoftonline.com/<tenantId>`,
  redirectUri: "http://localhost:4200/",
  cacheLocation: "localStorage",
  popUp: !isIE,
  consentScopes: ["user.read", "api://<clientID>/GFS_EClaims_UI"],
  storeAuthStateInCookie: false,
  postLogoutRedirectUri: "http://localhost:4200/",
  protectedResourceMap: protectedResourceMap
})

或要获取组详细信息，是否需要在loginRedirect()之后调用Microsoft图形api?

or To get the group details, do i need to make a call to the Microsoft graph api after loginRedirect()?

提前谢谢！

推荐答案

您无法从令牌中获取组详细信息.您只能在声明中获得如下所示的组ID:

You cannot get group details from the token. You can only get the group Ids like below in the claims:

{
  "groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}

有关访问令牌中受支持的声明，请参考

For supported claimes in access token, refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#claims-in-access-tokens

但是要控制对应用程序的访问，我认为您不需要组详细信息.您可以仅使用组ID来确定用户是否具有对该资源的权限.

But to control access of your application, I don't think your need group details. You can just use group ids to decide if the user has permission to the resource.

更好的方法是组合组和角色.您可以定义一些应用程序角色，并将角色分配给组.然后，该组中的用户将具有以下声明:

A better way is to combine Groups and Roles. You can define some applciation roles and assign the roles to the groups. Then the users in the group will have the claim like below:

{
  "roles": ["admin"]
}

然后，您可以根据用户的角色实施授权逻辑.

Then you can implement your authorization logic based on the roles of the user.

请参阅 https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps 和

Refer to https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps and https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps for more details

这篇关于通过@ azure/msal-angular库在angular 8中获取azure广告用户组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！