如何使用Azure AD生成具有角色定义的令牌 [英] How to use Azure AD to generate tokens with role definition

问题描述

我有这种情况：我有一个应用程序服务，我将其授权设置为允许匿名请求，并将身份验证提供程序设置为Active Directory并设置了一个Azure AD应用程序。

在此AD应用程序中，我将其类似的角色放在了清单中：

  appRoles：[
 {
 allowedMemberTypes：[
 User 
]，
 displayName： Approver，
 id： 8f29f99b-5c77-4fba-a310- 4a5c0574e8ff，
 isEnabled：true，
 description：批准人可以将文档标记为已批准，
 value：批准人 
}，
  

发布到URL

设置登录网址和应用ID网址。

在配置选项卡上，向下滚动到允许其他应用程序部分。在这里，通过首先选择客户端应用程序正在为其请求应用程序角色的API，然后在应用程序权限下拉列表中选择所需的应用程序角色来添加新的权限。在我的API应用程序（名称为testRole）中，我设置了以下角色：

4. 然后我们可以获取令牌，以使我的Web应用程序使用客户端凭据流来访问 testRole API：

   
   
   

   Post < a href = https://login.microsoftonline.com/YourTenant/oauth2/token rel = nofollow noreferrer> https://login.microsoftonline.com/YourTenant/oauth2/token

   
   
   

   内容类型：application / x-www-form-urlencoded

   
   
   

   resource = http％3A％2F％2Ftestbasic1.onmicrosoft .com％2Ftestrole& client_id =& client_secret =& grant_type = client_credentials




5. 然后访问令牌将包含应用程序角色：
   

您可以从

2. 然后选择所需的应用程序权限：
   < img src = https://i.stack.imgur.com/NatrT.png alt =在此处输入图片描述>

I have this scenario: I have an App Service, I set its authorization as Allow Anonymous Request and the Authentication Provider as Active Directory setting an Azure AD App.

In this AD App I put in its manifest some roles like this one:

"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Approver",
      "id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",
      "isEnabled": true,
      "description": "Approvers can mark documents as approved",
      "value": "approver"
    },

Posting to the URL https://login.windows.net//oauth2/token with my AD App ID I receive a token and what I expected to was to find the role in this token. It doesn't work like this and I couldn't find out the reason.

What I want is to generate the token using Azure and in my API, to set an [Authorize(Role="approver")] to filter controllers accessed by different clients using the same tenant.

解决方案

If your scenario is about assigning application role the user/group . Once a user is assigned to an application role (either through a direct assignment or via an assignment to a group that the user is member of), Azure AD includes the roles claim in the token when the user signs in to the application. The application can then authorize the user using constructs like IsInRole("reader") or the [Authorize (Roles="reader")] of .net. You should make :

"allowedMemberTypes": [
    "User"
  ],

Then you don't need to use client credential flow . And here is an article about how to config that , also refer to code sample here .

If your scenario is about allowing web applications and web APIs that act as clients and access other resource APIs, to request for application roles of resource API to be assigned to them(using client credential flow). The role gets assigned to the client app when it is installed by the Azure AD customers. You could refer to below steps to achieve that :

1. create a new ad application in classic azure ad portal :

2. Set the sign-on url and app id url .

3. On the configure tab scroll down to the section called ‘permissions to other application’. Here, add a new permission by first selecting the API for which the client application is requesting an application role, and then selecting the desired application role in the Application Permissions drop down. In my API app(name is testRole) , i have set the roles like :

Then select application role :

4. Then we could acquire the token to let my web app access the "testRole" API using client credential flow :

   Post https://login.microsoftonline.com/YourTenant/oauth2/token

   Content-Type: application/x-www-form-urlencoded

   resource=http%3A%2F%2Ftestbasic1.onmicrosoft.com%2Ftestrole&client_id=&client_secret=&grant_type=client_credentials

5. Then the access token will include the app role :

You could read more about Roles based access control in cloud applications using Azure AD from here

EDIT

To set permission to other application in new portal: 1. click azure ad icon in left panel , select the web app , click the Required permissions , click Add, Select an API , then search the API you want to access :

2. Then select the application permissions you want :

这篇关于如何使用Azure AD生成具有角色定义的令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！