Azure移动应用程序服务-使用Azure AD的具有C#后端的Cordova.如何检查角色? [英] Azure Mobile App Service - Cordova, with C# backend, using Azure AD. How to check roles?
问题描述
我已经使用了Azure身份验证,并且可以使用 [Authorize] 属性
I have got the Azure authentication working and can limit access to controllers using [Authorize] attributes like in the documentation. So far I love it.
但是,我将需要一些特权更高的用户,并且我们通常会使用AD安全组.我以为太好了!",我想,我将只使用 [Authorize(Roles ="AD Security Group"] ),然后我就可以重新开始开发该应用了!
I am going to need to have some users with elevated priveleges, however, and we would normally use an AD Security Group. "Great!", I thought, "I'll just use the [Authorize(Roles = "AD Security Group"]" and I can get back into developing the app!
嗯,我错了.两天后,我刚刚转了一圈.我得出的结论是,AAD未提供角色声明,因此ClaimsPrincipal不包含角色,因此无法将信息提供给authorize属性.
Well, I was wrong. Two days later and I have just gone around in circles. I have arrived at the conclusion that the roles claim is not being provided by AAD, so the ClaimsPrincipal does not contain roles, and so can't provide the informatin to the authorize attribute.
我看到了很多有关此的较旧信息(Azure移动应用程序是相当新的),这使很多问题感到困惑.当前的解决方案是查询AD Graph API以获取角色信息吗?
I see a lot of older information out there about this (Azure Mobile App is pretty new) and it's muddied the waters quite a bit. Is the current solution to this to query the AD Graph API to get the roles info?
或者,也许,编写一个自定义属性来调用/.auth/me 端点以获取角色信息?
Or, perhaps, write a custom attribute to call the /.auth/me endpoint to get the role information?
我很困惑!有人能指出我正确的方向吗?
I am so confused! Would someone please point me in the right direction?
推荐答案
您需要做一些工作才能将AAD组纳入声明中.我写了关于此的博客.尽管它在Node中实现授权,但AAD侧的配置是相同的.
You need to do some work to get the AAD groups into the claims. I wrote a blog about this. Although it implements authorization in Node, the configuration on the AAD side is identical.
就将其添加到授权角色而言,Azure Mobile Apps Server SDK目前不为您执行此操作.(我认为这是个好主意,请随时在我们的GitHub存储库)
In terms of the getting it into the Authorize Roles, the Azure Mobile Apps Server SDK does not do this presently for you. (I think it's a good idea, so feel free to file an issue on our GitHub repository)
If you are writing the attribute yourself, I'd use the GetAppServiceIdentityAsync<>() method to get the claims - don't query /.auth/me yourself.
这篇关于Azure移动应用程序服务-使用Azure AD的具有C#后端的Cordova.如何检查角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
