在 SPA + Web API 中通过 MSAL 检查 Azure Active Directory 组成员身份 [英] Checking Azure Active Directory group membership via MSAL in a SPA + Web APIs
问题描述
我正在构建一个应用程序,它有一个前端(使用 Vue.js 构建的 SPA),它与后端(托管在 Azure)中的几个基于 json 的 Web API 接口.Web API 需要通过 Azure Active Directory 进行保护,并且用户必须是安全组的成员.此外,如果用户未登录(即只是自动重定向),SPA 应该简单地尝试强制用户登录已批准的帐户.
I am building an application which has a front-end (a SPA built with Vue.js) which interfaces to a couple json-based Web APIs in the back end (hosted in Azure). The Web APIs need to be secured via Azure Active Directory and users must be a member of a security group. Furthermore, the SPA should simply try to force the user to sign into an approved account if they are not signed in as one (i.e. just auto-redirect).
我实际上已经完成了所有这些工作.AAD 应用程序具有 Group.Read.All,用户通过 SPA 登录并表示同意,SPA 调用 getMemberGroups.此外,Web API 可以检查 SPA 提供的访问令牌,不幸的是,Web API 还必须调用 getMemberGroups.
I actually have all this working. The AAD application has Group.Read.All, the user signs in via the SPA and gives consent, and the SPA calls getMemberGroups. Furthermore, the Web APIs can check the SPA-provided access token, and the Web APIs unfortunately must also call getMemberGroups.
我认为这是我关心的问题.Web API 必须不断调用 getMemberGroups 才能将其锁定.如果我在服务上进行了身份验证,则只有在验证了成员资格组后,我才有可能返回访问令牌.但后来我失去了 SPA 中简单的 MSAL 登录模型 - Web API 实际上不提供任何前端,SPA 是静态托管的.
And I think that is my concern. The Web APIs keep having to call getMemberGroups to lock it down. If I did the auth on the service, I could potentially only return an access token once membership groups has been verified. But then I lose the easy MSAL sign-in model in the SPA - the Web APIs don't actually provide any front end, the SPA is statically hosted.
据我所知,我无法让 Azure Active Directory 创建一个保证其中包含某些组声明的令牌.我想这会解决我的问题.
As far as I can tell, I cannot get Azure Active Directory to create a token guaranteed to have certain group claims in it. I think this would solve my problem.
有人可以就围绕 SPA + Web API 环境设计身份验证模型的最佳方式提供一些建议吗?还是我采取的方法是唯一的方法?
Can somebody offer some advice on the best way to design an auth model around a SPA + Web API environment? Or is the method I have taken the only way to do it?
谢谢!
推荐答案
您可以按照说明在令牌中包含 Groups 声明 这里.您只需要修改应用清单中的groupMembershipClaims"字段:
You can include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
然后令牌将包含使用所属组的 ID,如下所示:
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}
您还可以利用角色和组来控制对应用程序的访问.您可以定义一些应用角色并将角色分配给组.然后该组中的用户将拥有如下声明:
You can also leverage Role along with Groups to control access of your application. You can define some applciation roles and assign the roles to the groups. Then the users in the group will have the claim like below:
{
"roles": ["admin"]
}
然后您可以根据用户的角色实现您的授权逻辑.
Then you can implement your authorization logic based on the roles of the user.
参考 https:///joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps 和 https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps 了解更多详情
Refer to https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps and https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps for more details
这篇关于在 SPA + Web API 中通过 MSAL 检查 Azure Active Directory 组成员身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
