如何使用 Azure AD 生成具有角色定义的令牌

How to use Azure AD to generate tokens with role definition(如何使用 Azure AD 生成具有角色定义的令牌)
本文介绍了如何使用 Azure AD 生成具有角色定义的令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我有这样的场景:我有一个应用服务,我将其授权设置为允许匿名请求,身份验证提供程序设置为 Active Directory,设置了 Azure AD 应用程序.

在这个 AD 应用程序中,我在它的清单中加入了一些像这样的角色:

"appRoles": [{允许的成员类型":[用户"],"displayName": "审批人","id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",已启用":真,"description": "审批人可以将文档标记为已批准",价值":批准人"},

发布到 URL

  • 设置登录网址和应用 ID 网址.

  • 在配置选项卡上向下滚动到名为对其他应用程序的权限"的部分.在这里,通过首先选择客户端应用程序为其请求应用程序角色的 API,然后在应用程序权限下拉列表中选择所需的应用程序角色来添加新权限.在我的 API 应用程序(名称是 testRole)中,我设置了如下角色:

  • 然后选择应用角色:

    1. 然后我们可以获取令牌,让我的网络应用程序使用客户端凭据流访问testRole"API:

      发布

    您可以从

    1. 然后选择您想要的应用程序权限:

    I have this scenario: I have an App Service, I set its authorization as Allow Anonymous Request and the Authentication Provider as Active Directory setting an Azure AD App.

    In this AD App I put in its manifest some roles like this one:

    "appRoles": [
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Approver",
          "id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",
          "isEnabled": true,
          "description": "Approvers can mark documents as approved",
          "value": "approver"
        },
    

    Posting to the URL https://login.windows.net//oauth2/token with my AD App ID I receive a token and what I expected to was to find the role in this token. It doesn't work like this and I couldn't find out the reason.

    What I want is to generate the token using Azure and in my API, to set an [Authorize(Role="approver")] to filter controllers accessed by different clients using the same tenant.

    解决方案

    If your scenario is about assigning application role the user/group . Once a user is assigned to an application role (either through a direct assignment or via an assignment to a group that the user is member of), Azure AD includes the roles claim in the token when the user signs in to the application. The application can then authorize the user using constructs like IsInRole("reader") or the [Authorize (Roles="reader")] of .net. You should make :

    "allowedMemberTypes": [
        "User"
      ],
    

    Then you don't need to use client credential flow . And here is an article about how to config that , also refer to code sample here .

    If your scenario is about allowing web applications and web APIs that act as clients and access other resource APIs, to request for application roles of resource API to be assigned to them(using client credential flow). The role gets assigned to the client app when it is installed by the Azure AD customers. You could refer to below steps to achieve that :

    1. create a new ad application in classic azure ad portal :
    2. Set the sign-on url and app id url .

    3. On the configure tab scroll down to the section called ‘permissions to other application’. Here, add a new permission by first selecting the API for which the client application is requesting an application role, and then selecting the desired application role in the Application Permissions drop down. In my API app(name is testRole) , i have set the roles like :

    Then select application role :

    1. Then we could acquire the token to let my web app access the "testRole" API using client credential flow :

      Post https://login.microsoftonline.com/YourTenant/oauth2/token

      Content-Type: application/x-www-form-urlencoded

      resource=http%3A%2F%2Ftestbasic1.onmicrosoft.com%2Ftestrole&client_id=&client_secret=&grant_type=client_credentials

    2. Then the access token will include the app role :

    You could read more about Roles based access control in cloud applications using Azure AD from here

    EDIT

    To set permission to other application in new portal: 1. click azure ad icon in left panel , select the web app , click the Required permissions , click Add, Select an API , then search the API you want to access :

    1. Then select the application permissions you want :

    这篇关于如何使用 Azure AD 生成具有角色定义的令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

    本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

    相关文档推荐

    What#39;s the difference between retrieving WindowsPrincipal from WindowsIdentity and Thread.CurrentPrincipal?(从 WindowsIdentity 和 Thread.CurrentPrincipal 检索 WindowsPrincipal 之间有什么区别?)
    How do I find a user#39;s Active Directory display name in a C# web application?(如何在 C# Web 应用程序中查找用户的 Active Directory 显示名称?)
    How to use Servicestack Authentication with Active Directory/Windows Authentication?(如何在 Active Directory/Windows 身份验证中使用 Servicestack 身份验证?)
    How can I authenticate against Active Directory in Nancy?(如何在 Nancy 中对 Active Directory 进行身份验证?)
    How to get a username in Active Directory from a display name in C#?(如何从 C# 中的显示名称获取 Active Directory 中的用户名?)
    Oauth 2 token for Active Directory accounts(Active Directory 帐户的 Oauth 2 令牌)