在 Azure Active Directory B2C 中按组授权 [英] Authorize By Group in Azure Active Directory B2C

问题描述

我想弄清楚如何在 Azure Active Directory B2C 中授权使用组.我可以通过用户授权，例如:

[Authorize(Users="Bill")]

然而，这不是很有效，我看到的用例很少.另一种解决方案是通过角色授权.但是由于某种原因，这似乎不起作用.例如，如果我给用户角色全局管理员"并尝试:

[授权(角色=全局管理员")]

是否可以通过组或角色进行授权?

解决方案

这会奏效，但是您必须在身份验证逻辑中编写几行代码才能实现您的要求.

首先，您必须区分 Azure AD (B2C) 中的 Roles 和 Groups.

User Role 非常具体，仅在 Azure AD (B2C) 本身内有效.角色定义用户在Azure AD 中 拥有哪些权限.

Group(或Security Group)定义了用户组成员，可以暴露给外部应用程序.外部应用程序可以在安全组之上建模基于角色的访问控制.是的，我知道这听起来有点令人困惑，但就是这样.

因此，第一步是在 Azure AD B2C 中为 Groups 建模 - 您必须创建组并手动将用户分配到这些组.您可以在 Azure 门户 (

然后，回到您的应用程序，您将不得不编写一些代码并询问 Azure AD B2C Graph API 用于用户身份验证成功后.您可以使用 获得有关如何获得用户组成员资格的灵感.最好在 OpenID 通知之一中执行此代码(即 SecurityTokenValidated) 并将用户角色添加到 ClaimsPrincipal.

一旦您将 ClaimsPrincipal 更改为具有 Azure AD 安全组和角色声明"值，您就可以将 Authrize 属性与角色功能一起使用.这真的是 5-6 行代码.

最后，您可以为该功能投票此处 以便获得群组成员资格声明，而无需为此查询 Graph API.

I am trying to figure out how to authorize using groups in Azure Active Directory B2C. I can Authorize via User, for example:

[Authorize(Users="Bill")]

However, this is not very effective and I see very few use-cases for this. An alternate solution would be Authorizing via Role. However for some reason that does not seem to work. It does not work if I give a user the Role "Global Admin" for example, and try:

[Authorize(Roles="Global Admin")]

Is there a way to authorize via Groups or Roles?

解决方案

This will work, however you have to write a couple of lines of code in your authentication logic in order to achieve what you're looking for.

First of all, you have to distinguish between Roles and Groups in Azure AD (B2C).

User Role is very specific and only valid within Azure AD (B2C) itself. The Role defines what permissions a user does have inside Azure AD .

Group (or Security Group) defines user group membership, which can be exposed to the external applications. The external applications can model Role based access control on top of Security Groups. Yes, I know it may sound a bit confusing, but that's what it is.

So, your first step is to model your Groups in Azure AD B2C - you have to create the groups and manually assign users to those groups. You can do that in the Azure Portal (https://portal.azure.com/):

Then, back to your application, you will have to code a bit and ask the Azure AD B2C Graph API for users memberships once the user is successfully authenticated. You can use this sample to get inspired on how to get users group memberships. It is best to execute this code in one of the OpenID Notifications (i.e. SecurityTokenValidated) and add users role to the ClaimsPrincipal.

Once you change the ClaimsPrincipal to have Azure AD Security Groups and "Role Claim" values, you will be able to use the Authrize attribute with Roles feature. This is really 5-6 lines of code.

Finally, you can give your vote for the feature here in order to get group membership claim without having to query Graph API for that.

这篇关于在 Azure Active Directory B2C 中按组授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！