认证与授权? [英] Authentication vs Authorization?
问题描述
我是Azure ADB2C的新手,并对某些术语感到困惑.
I'm new to Azure ADB2C, and am confused by some of the terminology.
我正在建立一个摩托车行驶监控网站,希望用户能够通过验证社交媒体身份(目前为Google& Microsoft帐户)登录.
I am building a motorcycle ride monitoring website that I would like users to be able to log in to by verifying a social media identity (Google & Microsoft Account, for now).
但是我只希望网站的会员能够使用某些功能.例如,我希望每个通过身份验证的人都能够申请会员资格,了解会员资格的好处等,但我只希望会员能够启动乘车监控.
But I only want users who are members of the site to be able to use certain features. For example, I'd like everyone who authenticates to be able to apply for membership, read about the benefits of membership, etc., but I only want members to be able to initiate ride monitoring.
这里推荐的方法是仅授权(而不是进行身份验证,如果我正确理解了术语的话)某些经过身份验证的用户(即会员)使用乘车监控服务吗?
Is the recommended approach here to only authorize (rather than authenticate, if I'm understanding the terminology correctly) certain authenticated users (i.e., members) to use the ride monitoring services?
如果是这样,授权成员的最佳方法是什么?在独立的数据库中查找他们的电子邮件(我需要从身份验证过程中退回这些电子邮件),然后进行相应的处理?如果我采用这种方式,将其会员身份添加到其凭证中最简单的方法是什么,以便我可以在整个网站上访问它?
If so, what's the best way to authorize a member? Look up their email (which I require to be returned from the authentication process) in a standalone database and proceed accordingly? If I go that way, what's the simplest way of adding their membership status to their credential, so I can access it throughout the site?
在这里不提供代码的道歉.我有很多问题:)但这是设计问题,而不是编码问题.
Apologies for not providing code here. I've got a bit of it hanging around :) but this is more of a design question than a coding one.
推荐答案
Azure AD B2C主要是身份验证即服务.有多种方法可以将其用于您要在此处实现的目标.
Azure AD B2C is primarily Authentication as a Service. There are ways in which it can be used for what you are trying to achieve here.
You can use custom (extension) attributes in AADB2C (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr) in combination with AAD Graph apis (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet). So when user authenticates and applies for membership, you can call AAD graph api to set the custom attribute on user object. You can get the extension attribute in a the token after the authentication happens. This token will give you membership of the user.
您也可以使用AAD组代替自定义属性.在租户中,创建成员资格组.用户验证后,调用AADGraph来设置/获取用户的组成员身份,这将提供授权信息.
You can also use AAD Groups instead of custom attributes. In the tenant, create membership groups. Once user authenticates, call AADGraph to set/get user's membership of a group and that will give the authorization information.
您还可以按照您的描述进行操作,将信息保留在应用程序的数据库存储中.但是前两个功能为用户管理提供了内置功能.
You can also do what you described, maintaining the info in a database store of your application. But the first two functionalities provide in-built functionalities for user management.
这篇关于认证与授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
