基于ASP.NET MVC和Azure Active Directory安全组的授权 [英] asp.net mvc and azure active directory security group based authorization
问题描述
我正在寻找有关ASP.NET MVC应用程序的帮助.它可以对单个租户进行身份验证以使活动目录用户蔚蓝,并可以使用活动目录安全组授权用户.即,如果用户属于该安全组,则仅允许访问网站,否则访问将被拒绝.
I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.
Active Directory身份验证可以由Visual Studio本身使用向导完成,但不确定如何通过AAD安全组执行授权.
Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.
P.S.我不熟悉ASP.NET安全性
P.S. I am new to ASP.NET security
推荐答案
当用户登录应用程序时,一旦您适当地修改了应用程序的清单,来自Azure AD的传入令牌将包含组声明.请参阅下面的示例应用程序链接以获取步骤).然后,您的应用程序代码可以读取这些声明并根据它们做出授权决定.
When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.
这是一个基于组声明进行授权的示例应用程序-
Here is a sample application that does authorization based on group claims -
-
您已经特别询问了有关组的信息,但是您还应该考虑使用应用程序角色,这可以帮助您实现基于角色的授权逻辑.查看Microsoft文档链接应用程序角色.这是指向另一个类似问题的链接,在该链接中,我提供了有关应用程序角色和组的更详细的信息,以及这两个示例代码的链接. 将Azure Active Directory与自定义RBAC集成
You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC
一旦了解了应用程序角色和组的用途/目的,就完全有可能决定要基于登录用户的角色和组信息的组合而不是仅仅基于角色和组信息的授权逻辑.
Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.
如果用户是多个组(6个或更多AFAIK)的一部分,则Azure AD令牌不会作为令牌的一部分直接跨组"发送,而是发送一个超额指示符,然后您可以在单独的呼叫中查询组.在这里查看与令牌相关的文档-
In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens
这篇关于基于ASP.NET MVC和Azure Active Directory安全组的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
