在 ADAL JS 中使用 Azure AD 和 OAuth2 隐式授权进行组声明 [英] Group claims with Azure AD and OAuth2 implicit grant in ADAL JS

问题描述

我们正在 Azure 中开发一种多租户 SaaS 产品，该产品具有 AngularJS 前端和 Web API 后端.我们使用 Azure AD 进行身份验证并将其与 ADAL JS 挂钩(使用 OAuth2 隐式授权).作为一个多租户应用程序，我们允许客户针对他们自己的 Azure AD(可能连接也可能不连接到本地 AD)进行身份验证.

We are developing a multi-tenant SaaS product in Azure which has an AngularJS front-end and Web API back-end. We use Azure AD for authentication and have hooked it up with ADAL JS (using the OAuth2 implicit grant). Being a multi-tenant application, we allow customers to authenticate against their own Azure AD (which may or may not be connected to an on-premise AD).

到目前为止，这一切都很好.ADAL JS 将用户带到 Azure 登录页面，一旦用户通过身份验证，就会发出 OAuth2 令牌.然后，此 JWT 令牌作为不记名令牌与所有 API 调用一起发送，我们有自己的声明转换过程，用于将来自 Azure 的传入声明映射到我们的应用程序声明.

So far this all works nicely. ADAL JS takes the user to the Azure login page and once the user has authenticated, an OAuth2 token is issued. This JWT token is then sent with all API calls as a bearer token where we have our own claims transformation process for mapping the incoming claims from Azure to our application claims.

我们没有在声明转换过程中指定单个用户，而是尝试通过 AD 组来执行此操作.这允许我们的客户在他们的 AD 中拥有安全组，然后我们的应用程序将使用它来映射到正确的应用程序声明.

Rather than specify individual users in the claims transformation process, we try to do it by AD groups. This allows our customers to have security groups in their AD and then our application will use that to map to the correct application claims.

我们收到的 JWT 令牌不包含 groups 属性，尽管在 AAD 应用程序清单中将 groupMembershipClaims 设置为 SecurityGroup.从那以后，我在 这条来自 Vittorio 的推文中读到了

The JWT token we receive does not contain a groups property, despite having set groupMembershipClaims to SecurityGroup in the AAD application manifest. I have since read in this tweet from Vittorio that

隐式授权不会发送这些声明，因为它会在查询字符串中返回令牌 - 很容易超过最大长度

The implicit grant will NOT send those claims, as it returns the token in the querystring - it's easy to blow past max length

经过进一步调查，我还发现 这个来自 Vittorio 的 StackOverflow 回答说

Upon further investigation, I also found this StackOverflow answer from Vittorio that says

我已验证，在隐式授权情况下，您将始终通过超额索赔接收组.请参考 https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - 它将向您展示如何处理超额声明以检索组.

I verified and in the implicit grant case you will receive groups always via the overage claim. Please refer to https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - it will show you how to process the overage claim to retrieve groups.

我查看了 JWT 令牌，它不包括任何超额声明(由 _claim_names 和 _claim_sources 标识).我绝对是 Azure AD 中两个组的成员.

I had a look at the JWT token and it does not include any overage claim (identified by _claim_names and _claim_sources). I'm definitely a member of two groups in my Azure AD.

关于是否可以在隐式授权令牌中获取组信息(无论是直接还是间接)，我现在似乎也有两个相互矛盾的陈述.

I also now appear to have two conflicting statements about whether it is possible to get group information (whether directly or indirectly) in the implicit grant token.

问题 1:我是否应该获得可用于获取团体信息的超龄索赔?如果是这样，我是否需要做任何事情来确保将索赔发送给我?

我是否可以通过图形 API 中的用户链接获得超额声明，或者我是否必须手动制作链接来获取用户组，我仍然有点不确定如何使用图形 API 进行身份验证.

Whether I can get an overage claim with a link to the user in the graph API or whether I have to manually craft the link to get the user's groups, I'm still a little unsure how I authenticate with the graph API.

在收到带有不记名令牌的请求(来自 ADAL JS)后，我需要从后端联系图形 API.

I need to contact the graph API from the back-end after receiving a request with a bearer token (from ADAL JS).

问题 2:我可以将相同的不记名令牌发送到图形 API 以读取该用户的目录信息吗?还是我需要直接从我的应用程序而不是用户在应用程序上下文中向图形 API 租户进行身份验证?

推荐答案

对这里的混乱表示歉意.我会仔细检查关于超额的声明，但无论如何 - 为了快速解除对您的阻止，我们假设您需要在没有超额索赔的帮助下手动获取组.您不能重复使用发送到 Web API 的令牌.该令牌的范围仅限于您的应用程序，任何其他收件人都会(或应该)拒绝它.好消息是，您的后端可以通过其请求 Graph 范围内的新令牌的流程很容易实现.请参阅 https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet - 详情在您的情况下有点不同(您的 Web API 有您的应用程序的受众 == 客户端 ID)，但涉及的拓扑和代码/调用完全相同.！五、

apologies for the confusion here. I will double check the statement about the overage, but in any case - for the sake of unblocking you quickly, let's assume that you need to get the groups manually without the aid of the overage claim. You cannot reuse the token you send to your Web API. That token is scoped to your app, and any other recipient will (or should) reject it. The good news is that the flow through which your backend can request a new token scoped for the Graph is easy to implement. See https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet - the details in your case are a be a bit different (your web API has the audience == clientid of your app) but the topology and the code/calls involved are exactly the same. HTH! V.

这篇关于在 ADAL JS 中使用 Azure AD 和 OAuth2 隐式授权进行组声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！