Azure AD B2C - 角色管理
Azure AD B2C - Role management
我有一个 Asp.NET MVC 应用程序与 Azure AD B2C 连接。
我在管理员设置中创建了一个管理员组:
在我的代码中,我想使用 [Authorize(Roles = "Administrator")]
使用常规的 Azure Active Directory 很容易添加(只需 3 行代码)。但是对于 Azure AD B2C,我无法在网上找到任何可用的教程或示例。也许你可以告诉我我需要修改什么。
这是我的 Startup.Auth.cs
的 ConfigureAuth 方法
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claims to validate
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {ReadTasksScope} {WriteTasksScope}"
}
);
}
Azure AD B2C 尚未在它发送给应用程序的令牌中包含组声明 因此您不能采用与 Azure AD 概述的相同方法(它确实在令牌中包含组声明)。
您可以通过在 Azure AD B2C 反馈论坛中投票来支持此功能:Get user membership groups in the claims with Azure AD B2C
也就是说,您可以在此应用程序中做一些额外的工作,让它手动检索组声明的这些声明并将它们注入令牌。
首先,注册一个单独的应用程序,它将调用 Microsoft Graph 来检索组声明。
- 前往 https://apps.dev.microsoft.com
- 创建具有 应用程序权限 的应用程序:Directory.Read.All.
- 通过单击生成新密码添加应用程序密码
- 添加平台和 select 网站并为其提供任何重定向 URI,(例如
https://yourtenant.onmicrosoft.com/groups)
- 同意此申请,导航至:
https://login.microsoftonline.com/YOUR_TENANT.onmicrosoft.com/adminconsent?client_id=YOUR_CLIENT_ID&state=12345&redirect_uri=YOUR_REDIRECT_URI
然后,您需要在 OnAuthorizationCodeReceived 处理程序、right after redeeming the code:
中添加以下代码
var authority = $"https://login.microsoftonline.com/{Tenant}";
var graphCca = new ConfidentialClientApplication(GraphClientId, authority, GraphRedirectUri, new ClientCredential(GraphClientSecret), userTokenCache, null);
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
try
{
AuthenticationResult authenticationResult = await graphCca.AcquireTokenForClientAsync(scopes);
string token = authenticationResult.AccessToken;
using (var client = new HttpClient())
{
string requestUrl = $"https://graph.microsoft.com/v1.0/users/{signedInUserID}/memberOf?$select=displayName";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpResponseMessage response = await client.SendAsync(request);
var responseString = await response.Content.ReadAsStringAsync();
var json = JObject.Parse(responseString);
foreach (var group in json["value"])
notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph"));
//TODO: Handle paging.
// https://developer.microsoft.com/en-us/graph/docs/concepts/paging
// If the user is a member of more than 100 groups,
// you'll need to retrieve the next page of results.
}
} catch (Exception ex)
{
//TODO: Handle
throw;
}
我有一个 Asp.NET MVC 应用程序与 Azure AD B2C 连接。
我在管理员设置中创建了一个管理员组:
在我的代码中,我想使用 [Authorize(Roles = "Administrator")]
使用常规的 Azure Active Directory 很容易添加(只需 3 行代码)。但是对于 Azure AD B2C,我无法在网上找到任何可用的教程或示例。也许你可以告诉我我需要修改什么。
这是我的 Startup.Auth.cs
的 ConfigureAuth 方法public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
},
// Specify the claims to validate
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {ReadTasksScope} {WriteTasksScope}"
}
);
}
Azure AD B2C 尚未在它发送给应用程序的令牌中包含组声明 因此您不能采用与 Azure AD 概述的相同方法(它确实在令牌中包含组声明)。
您可以通过在 Azure AD B2C 反馈论坛中投票来支持此功能:Get user membership groups in the claims with Azure AD B2C
也就是说,您可以在此应用程序中做一些额外的工作,让它手动检索组声明的这些声明并将它们注入令牌。
首先,注册一个单独的应用程序,它将调用 Microsoft Graph 来检索组声明。
- 前往 https://apps.dev.microsoft.com
- 创建具有 应用程序权限 的应用程序:Directory.Read.All.
- 通过单击生成新密码添加应用程序密码
- 添加平台和 select 网站并为其提供任何重定向 URI,(例如
https://yourtenant.onmicrosoft.com/groups) - 同意此申请,导航至:
https://login.microsoftonline.com/YOUR_TENANT.onmicrosoft.com/adminconsent?client_id=YOUR_CLIENT_ID&state=12345&redirect_uri=YOUR_REDIRECT_URI
然后,您需要在 OnAuthorizationCodeReceived 处理程序、right after redeeming the code:
var authority = $"https://login.microsoftonline.com/{Tenant}";
var graphCca = new ConfidentialClientApplication(GraphClientId, authority, GraphRedirectUri, new ClientCredential(GraphClientSecret), userTokenCache, null);
string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
try
{
AuthenticationResult authenticationResult = await graphCca.AcquireTokenForClientAsync(scopes);
string token = authenticationResult.AccessToken;
using (var client = new HttpClient())
{
string requestUrl = $"https://graph.microsoft.com/v1.0/users/{signedInUserID}/memberOf?$select=displayName";
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
HttpResponseMessage response = await client.SendAsync(request);
var responseString = await response.Content.ReadAsStringAsync();
var json = JObject.Parse(responseString);
foreach (var group in json["value"])
notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph"));
//TODO: Handle paging.
// https://developer.microsoft.com/en-us/graph/docs/concepts/paging
// If the user is a member of more than 100 groups,
// you'll need to retrieve the next page of results.
}
} catch (Exception ex)
{
//TODO: Handle
throw;
}