asp.net蔚蓝的Active Directory用户配置文件数据 [英] asp.net azure active directory user profile data
问题描述
我在一个MVC应用程序中使用Azure中的AD身份验证工作。我一直在寻找一种最佳做法或建议的方式来扩展用户配置文件数据。例如,我希望用户存储有对自己的出生日期。
I'm working on a MVC application using Azure's AD authentication. I have been looking for a best practice or suggested way to 'extend' the user profile data. For example, I want the users to have a date of birth stored against themselves.
我已经看过这个,但它并没有真正回答我的问题:的Active Directory用户数据存储
I have looked at this but it doesn't really answer my question: Active Directory User Data Storage
我找不到别的有点接近的解决方案要么,所有其他的解决方案是另一种类型的身份验证。
I can't find anything else kinda close to the solution either, all other solutions are for the other type of authentication.
有一点需要注意的是应用程序仅具有读取访问AD,如果询问什么即时通讯重要的。我希望刚才创建了使用User.Identity.GetUserId()的用户模型(这是每一个要改变呢?如果是的话,我该怎么使用不会?)。
One thing to note is the application only has read access to the AD, if that matters for what im asking. I hope to just create a User model which uses the User.Identity.GetUserId() (is this every going to change? if it does, what can I use that won't?).
在此先感谢!
推荐答案
我有几个选择,在这里建议。
I have a couple of options to suggest here.
选项1 - 您可以使用自己的应用程序配置文件存储,用于存储额外的用户配置文件信息的属性未在目录present。基本上当你的应用得到了用户的签约用户令牌(或令牌JWT),你会得到令牌的OBJECTID(OID)索赔。这是用户(在所有的Azure AD)的一个唯一的ID。您可以使用此作为您的用户配置文件存储的密钥,并用此键来基本上在AAD应用商店链接的用户信息用户的信息。
Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. Basically when your app gets a user token (or a JWT token) for the signed in user, you'll get an objectId (oid) claim in the token. This is a unique id for the user (across ALL of Azure AD). You can use this as a key in your user profile store, and use this key to essentially link user info in AAD to user info in your app store.
选项2 - 使用目录架构扩展。 Azure的AD(通过图形API),允许应用程序声明额外的属性来扩展你的客户的Azure AD架构。在这里,您可以用一个新的DATEOFBIRTH属性扩展用户实体。你的客户(多租户应用程序)的(管理员)将需要同意让您的应用程序写入自己的目录,该目录上同意,将扩大其用户实体架构与应用程式宣布扩展特性。然后,您的应用程序(或事实上的任何应用程序)可以读取和写入到这个新的扩展属性。注:目前没有关于这些扩展性能没有特殊的访问控制 - 如果某个用户或应用有权读取用户实体(在这种情况下),他们将能够读取任何应用程序中声明的扩展特性 - 包括你的。结果
有关目录的扩展的更多信息,请参阅 https://msdn.microsoft.com /en-us/library/azure/dn720459.aspx 和<一个href=\"http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-$p$pview.aspx\" rel=\"nofollow\">http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-$p$pview.aspx (尽管这个博客帖子说什么,架构扩展现在GA在图形API 1.5版本)。 Directory架构扩展是通过图形客户端库也支持,并且可以在控制台样本这里看到在github:的 https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet 。
Option 2 - use directory schema extensions. Azure AD (via Graph API) allows your application to declare additional properties to extend a your customer's Azure AD schema. Here you could extend the User entity with a new dateOfBirth property. Customers (admins) of your (multi-tenant app) would need to consent to allow your app to write to their directory, which on consent, would extend their User entity schema with the extension properties your app declares. Your app (or in fact any app) can then read and write to this new extension property. NOTE: currently there is no special access control on these extension properties - if a user or app has permissions to read a User entity (in this case), they'll be able to read any extension properties declared by any applications - including yours.
For more information on directory extensions please see https://msdn.microsoft.com/en-us/library/azure/dn720459.aspx and http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-preview.aspx (despite what this blog post says, schema extensions is now GA in version 1.5 of the Graph API). Directory schema extensions are also supported through the Graph Client Library, and you can see this in the console sample here on github: https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet.
HTHS,
这篇关于asp.net蔚蓝的Active Directory用户配置文件数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
