如何使用 Azure AD 生成具有角色定义的令牌 [英] How to use Azure AD to generate tokens with role definition
问题描述
我有这样的场景:我有一个应用服务,我将其授权设置为允许匿名请求,身份验证提供程序设置为 Active Directory,设置了 Azure AD 应用程序.
在这个 AD 应用程序中,我在它的清单中加入了一些像这样的角色:
"appRoles": [{允许的成员类型":[用户"],"displayName": "审批人","id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",已启用":真,"description": "审批人可以将文档标记为已批准",价值":批准人"},发布到 URL
设置登录网址和应用 ID 网址.
在配置选项卡上向下滚动到名为对其他应用程序的权限"的部分.在这里,通过首先选择客户端应用程序为其请求应用程序角色的 API,然后在应用程序权限下拉列表中选择所需的应用程序角色来添加新权限.在我的 API 应用程序(名称是 testRole)中,我设置了如下角色:
然后选择应用角色:
然后我们可以获取令牌,让我的网络应用程序使用客户端凭据流访问testRole"API:
发布
您可以从
- 然后选择您想要的应用程序权限:
I have this scenario: I have an App Service, I set its authorization as Allow Anonymous Request and the Authentication Provider as Active Directory setting an Azure AD App.
In this AD App I put in its manifest some roles like this one:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Approver",
"id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",
"isEnabled": true,
"description": "Approvers can mark documents as approved",
"value": "approver"
},
Posting to the URL https://login.windows.net//oauth2/token with my AD App ID I receive a token and what I expected to was to find the role in this token. It doesn't work like this and I couldn't find out the reason.
What I want is to generate the token using Azure and in my API, to set an [Authorize(Role="approver")] to filter controllers accessed by different clients using the same tenant.
If your scenario is about assigning application role the user/group . Once a user is assigned to an application role (either through a direct assignment or via an assignment to a group that the user is member of), Azure AD includes the roles claim in the token when the user signs in to the application. The application can then authorize the user using constructs like IsInRole("reader") or the [Authorize (Roles="reader")] of .net. You should make :
"allowedMemberTypes": [
"User"
],
Then you don't need to use client credential flow . And here is an article about how to config that , also refer to code sample here .
If your scenario is about allowing web applications and web APIs that act as clients and access other resource APIs, to request for application roles of resource API to be assigned to them(using client credential flow). The role gets assigned to the client app when it is installed by the Azure AD customers. You could refer to below steps to achieve that :
- create a new ad application in classic azure ad portal :
Set the sign-on url and app id url .
On the configure tab scroll down to the section called ‘permissions to other application’. Here, add a new permission by first selecting the API for which the client application is requesting an application role, and then selecting the desired application role in the Application Permissions drop down. In my API app(name is testRole) , i have set the roles like :
Then select application role :
Then we could acquire the token to let my web app access the "testRole" API using client credential flow :
Post https://login.microsoftonline.com/YourTenant/oauth2/token
Content-Type: application/x-www-form-urlencoded
resource=http%3A%2F%2Ftestbasic1.onmicrosoft.com%2Ftestrole&client_id=&client_secret=&grant_type=client_credentials
Then the access token will include the app role :
You could read more about Roles based access control in cloud applications using Azure AD from here
EDIT
To set permission to other application in new portal: 1. click azure ad icon in left panel , select the web app , click the Required permissions , click Add, Select an API , then search the API you want to access :
- Then select the application permissions you want :
这篇关于如何使用 Azure AD 生成具有角色定义的令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
