自动刷新令牌并添加新的用户安全组Azure AD [英] Refresh Token automatically and add new User Security Groups Azure AD

问题描述

我有一个使用带有角色/声明身份验证/授权的Azure AD的简单ASP.Net Web-APP.基本上，应用程序会为用户检查IsinRole()，然后根据返回的内容来访问Web应用程序区域.我们正在Azure AD中使用安全组".场景是一个用户属于Group1，登录到Web应用程序后，他可以访问Group1区域，现在后端的管理员将用户也添加到了Group2中，而无需用户注销并重新登录门户我们希望他的令牌也包含这个新添加的Group2. 无论如何，有没有刷新令牌以在没有用户注销和登录应用程序的情况下为该用户令牌添加其他group2的问题?

I have a simple ASP.Net Web-APP using Azure AD with Role/Claims Authentication/Authorization. Basically app checks IsinRole() for the user and then depending on what is returned he gets access to the area of the web-app. We are using SECURITY GROUPS in Azure AD. Scenario here is a User belongs to Group1 and upon login to web-app he gets access to Group1 area, now Administrator at the backend adds the user to Group2 as well what we want is without the user loging out and loging back-in the portal we want his token to contain this newly added Group2 as well. Is there anyway to refresh the token to have the additional group2 added for that users token without him loging out and in the app?

有什么方法可以强制使用新信息刷新令牌?

Any way to force refresh the token with new information?

感谢您的帮助.

谢谢.

推荐答案

刷新令牌以获取新的访问令牌

如果在Web应用程序中使用诸如授权码授予之类的授予，则一种方法可能是使用 Refresh Token 来获取新的 Access Token .

One approach could be to use a Refresh Token to acquire a new Access Token if you're using a grant like Authorization code grant in your web application.

您可以在此处详细了解-

You can read more about it here - Refreshing the Access Tokens

您的应用程序将需要确定何时获取新的访问令牌..以便在知道后端成员/管理员已更新组成员身份时执行此操作.

Your application will need to decide when to acquire a new access token.. so it can do that when it's aware that group membership has been updated by a backend component/admin.

现在，您未曾提及过多的另一个主题是，已经登录用户的Web应用程序如何了解此类事件，但是类似SingalR通知的内容可能会有所帮助.

Now a separate topic that you haven't mentioned much about is how would your web application where user is already signed in, get to know about such an event, but something like a SingalR notification could possibly help.

注意事项:

• 使用刷新令牌可能会有些脆弱，因为它们可能会由于不受您的应用控制的原因(例如，用户密码更改，有效期长，尽管还有很长的其他原因)而被吊销.如果发生此类错误，则剩下的唯一选择就是获取新的授权码.

• Working with Refresh tokens can be a little brittle as they can get revoked for reasons not controlled by your app (e.g. password change for user, expiration although that's long and other reasons too). In case of such errors, getting a new authorization code would be the only option left.

刷新令牌必须安全保存

特别是在groups声明的情况下，可能存在过度使用情况，仅使用访问令牌可能无济于事.

Specifically in case of groups claims there can be overage scenarios where access token alone may not help.

替代方法(而不是像您提到的那样试图用新信息强制刷新令牌)

Alternative approach (instead of trying to force refresh the token with new information as you mention)

如果您要声明groups，那么请使用Microsoft Graph API获取有关用户所属安全组的信息，而不仅仅是查看访问令牌.

If groups claim is what you're after, then make use of Microsoft Graph API to get information about security groups that user belongs to instead of looking at just the access token.

您的应用程序代码可以随时调用Microsoft Graph API，以获取新的成员资格详细信息，即您的示例中的组1和组2(当您知道组成员资格已由后端组件/管理员更新时). SignalR或其他通知您的应用程序此类更改的方法在这里也很重要.

Your application code can call Microsoft Graph API again at any point to get new membership details i.e. Group 1 and Group2 as per your example (when it's aware that group membership has been updated by a backend component/admin). SignalR or some other way to notify your app of such changes would be relevant here as well.

相关的Microsoft Graph API

• 用户: GetMemberGroups

POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/getMemberGroups

这只是一个与我有关的，但还有其他类似的API，例如

This is just one that seems relevant to me, but there are other similar API's like memberOf and you can choose based on your requirement.

优势

1. 您会遇到任何用户属于多个组的超额使用情况，因此访问令牌不会以任何方式为您提供所有需要的组信息.

1. You get around any overage scenarios where user belongs to many groups, so access token doesn't provide you all the group information you need any way.

您无需强制注销并再次为用户重新登录，即可获取包含最新信息的访问令牌.

You don't need to force a logout and login back again for user in order to get access token with fresh information.

访问令牌中groups声明的超量场景详细信息

Overage Scenario details for groups claim in access token

当前，您可能已经编辑了应用程序的清单，并将"groupMembershipClaims"属性设置为"All"或"SecurityGroup"，以便访问令牌获得具有用户所属的所有组ID的groups声明

Currently you may have edited your application's manifest and set "groupMembershipClaims" property to "All" or "SecurityGroup" so that access token gets groups claim with all group ids to which user belongs

为确保令牌的大小不超过HTTP标头的大小限制， Azure AD限制了它包含在组声明中的objectId的数量.如果用户属于超过超出限制的组的更多成员(SAML令牌为150，JWT令牌为200)，则Azure AD不会在令牌中发出组声明.相反，它在令牌中包含一个超额声明，该声明指示应用程序查询Graph API以检索用户的组成员身份.

To ensure that the token size doesn't exceed HTTP header size limits, Azure AD limits the number of objectIds that it includes in the groups claim. If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then Azure AD does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user's group membership.

这篇关于自动刷新令牌并添加新的用户安全组Azure AD的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！