使用 JWT 检索 Azure AD 组信息 [英] Retrieving Azure AD Group information with JWT

问题描述

我有需要 Azure AD 不记名身份验证的 API.

I have APIs that require Azure AD bearer authentication.

public void ConfigureAuth(IAppBuilder app)
{
   app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
         // ...
      });
}

是否可以查询 Azure AD(可能使用 Graph API)来确定调用用户的组信息?此处的最终目标是将基于角色的安全性应用于 API 方法/控制器，如下所示(或类似).

Is it then possible to query Azure AD - perhaps using the Graph API - to determine the group information of the calling user? The end goal here is to apply role-based security to the API methods/controllers, as below (or similar).

[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]

另外，身份信息是如何以及在哪里应用到执行线程的?

Additionally, how and where is the identity information applied to the executing thread?

推荐答案

最近，您可以使用角色声明和/或组声明来执行此操作.如果您有一个受承载身份验证保护的 Web API(如 此处的示例)，您可以配置 API，以便访问令牌包含组和/或角色声明.

As of recently, you can use Role Claims and/or Group Claims to do so. If you have a web API protected with bearer authentication (like in the sample here), you can configure the API so that access tokens contain Group and/or Role claims.

OWIN 中间件将读取 JWT 不记名令牌中的声明，并在 System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler 中使用适当的声明填充 ClaimsIdentity (来源).

The OWIN middleware will read the claims in the JWT bearer token and populate the ClaimsIdentity with appropriate claims, in the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler (source).

要配置您的 API 以接收组声明，您需要编辑应用程序清单的 "groupMembershipClaims" 属性，其值为 "All" 或 本示例(分别包含或排除分发列表)a>，它使用组声明将基于角色的安全性应用到使用 [Authorize] 标记的 Web 应用程序.

To configure your API to receive Group Claims, you need to edit the "groupMembershipClaims" property of the application manifest with a value of "All" or "SecurityGroups" (distribution lists included or excluded, respectively) as shown in this sample, which uses Group Claims to apply role-based security to a web app using the [Authorize] tag.

要配置您的 API 以接收角色声明，您还需要编辑清单，在 "appRoles" 属性中定义应用程序角色，如 此示例(链接尚未激活 - 它将在接下来的几天内)，它使用角色声明来执行相同的操作.定义应用程序角色后，您可以在 Azure 门户中或通过 GraphAPI 将用户和组分配给这些角色.请注意，由于 AAD 发出的声明属于 "roles" 类型，因此您需要将 RoleClaimType 设置为:

To configure your API to receive Role Claims, you also need to edit the manifest, defining Application Roles in the "appRoles" property as shown in this sample (link not yet active - it will be in the next few days), which uses Role Claims to do the same. Once you have defined Application Roles, you can assign users and groups to those roles in the Azure Portal or via the GraphAPI. Note because the claims emitted by AAD are of type "roles", you will need to set the RoleClaimType as:

new WindowsAzureActiveDirectoryBearerAuthenticationOptions  
{  
   ...
   TokenValidationParameters = new TokenValidationParameters {  
       RoleClaimType = "roles",  
   },  
   ...  
}

这篇关于使用 JWT 检索 Azure AD 组信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！