基于组角色的授权 [英] Group role based authorization

问题描述

我一直在尝试实现基于组的授权.我已经开始并使用以下内容实现了基于用户的授权: https://medium.com/medialesson/role-based-authorization-in-azure-functions-with-azure-ad-and-app-roles-b1fed5714c91

I've been trying to implement a group based authorization. I have gone ahead and implemented the user based authorization using the content below: https://medium.com/medialesson/role-based-authorization-in-azure-functions-with-azure-ad-and-app-roles-b1fed5714c91

使用此内容，是否有人知道如何更改我的代码，以便能够处理组而不是角色?我继续并更改了Azure中的清单以包括安全组.任何帮助，将不胜感激.下面是代码:

Using this content, does anyone know how to change my code, so it is able to handle groups, not roles? I went ahead and changed the manifest in Azure to include securitygroups. Any help would be appreciated. Below is the code:

internal class RoleAuthorizeAttribute : FunctionInvocationFilterAttribute
{
    ...

    public override async Task OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)
    {
        if (!executingContext.Arguments.ContainsKey("principal"))
        {
            throw new AuthorizationException("Authentication failed. Missing claims.");
        }

        var claimsPrincipal = (ClaimsPrincipal)executingContext.Arguments["principal"];
        var roles = claimsPrincipal.Claims.Where(e => e.Type == "roles").Select(e => e.Value);

        var isMember = roles.Intersect(_validRoles).Count() > 0;
        if (!isMember)
        {
            throw new AuthorizationException("Authentication failed. User not assigned to one of the required roles.");
        }
    }
}

推荐答案

使用 claimsPrincipal.Claims.Where(e => e.Type =="groups")来获取组声明

组声明仅返回组ID，而不返回组名称.您可以循环使用Microsoft Graph查询组名称的组ID: var group = await graphClient.Groups [{group id}"].Request().GetAsync(); .然后，您可以将它们与您设置的组属性进行匹配.

The groups claim only returns group id rather than group name. You can loop the group ids to use Microsoft Graph to query the group names: var group = await graphClient.Groups[{group id}"].Request().GetAsync();. Then you could match them against the group attributes you set.

请参阅Microsoft Graph参考此处.

See Microsoft Graph reference here.

这篇关于基于组角色的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！