在Asp.Net CORE 3.x中实现Active Directory组 [英] Implement Active Directory Group in Asp.Net CORE 3.x

问题描述

Asp.net CORE 3.x:身份验证可以与Azure Active Directory正常运行.现在，我想为所有路由实施特定AD组的授权.如何执行此授权?逐步使用Asp.NET Core吗?

Asp.net CORE 3.x : The authentication is working fine with Azure Active Directory. Now, i would like to implement the authorization a specific AD Group for all routes. How to implement this authorization ? steps by steps with Asp.NET Core ?

   public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
        }).AddAzureAD(options => Configuration.Bind("AzureAD", options));

        services.AddAuthorization(options =>
        {
            options.FallbackPolicy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        });

        services.AddControllers();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();
        app.UseHttpsRedirection();
        app.UseCookiePolicy();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapDefaultControllerRoute().RequireAuthorization();
            //endpoints.MapControllers();
        });
    }
}

}

谢谢您的帮助！:)

推荐答案

您可以在Azure AD中使用 groups Claims ，在azure门户中配置应用程序以通过编辑清单来接收组声明:

You can use groups claims in Azure AD , config the your application in azure portal to receive group claims by editing the manifest :

{
  ...
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  ...
}

从Azure AD发出的

ID令牌将在 groups 声明中包括当前用户的组ID列表，然后在asp.net核心应用程序中，您可以通过以下方式限制访问:

ID token issued from Azure AD will include the current user's groups id list in groups claim , then in asp.net core application , you can restrict the access by :

services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });

注意:来自

如果用户属于超过超出限制的组的更多成员(SAML令牌为150，JWT令牌为200)，则Microsoft身份平台不会在令牌中发出组声明.相反，它在令牌中包含超额声明，该声明指示应用程序查询Graph API以检索用户的组成员身份.

If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then the Microsoft Identity Platform does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.

这篇关于在Asp.Net CORE 3.x中实现Active Directory组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！