时间戳

首页 > 解决方案 > 在 Asp.Net CORE 3.x 中实现 Active Directory 组

azure - 在 Asp.Net CORE 3.x 中实现 Active Directory 组

问题描述

Asp.net CORE 3.x:身份验证在 Azure Active Directory 中运行良好。现在,我想为所有路由实施特定 AD 组的授权。如何执行此授权?逐步使用 Asp.NET Core ?

   public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
        }).AddAzureAD(options => Configuration.Bind("AzureAD", options));

        services.AddAuthorization(options =>
        {
            options.FallbackPolicy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        });

        services.AddControllers();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();
        app.UseHttpsRedirection();
        app.UseCookiePolicy();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapDefaultControllerRoute().RequireAuthorization();
            //endpoints.MapControllers();
        });
    }
}

}

谢谢你的帮助 !:)

标签: azureasp.net-coreazure-active-directoryazure-web-app-service

解决方案

您可以groups claims在 Azure AD 中使用,在 azure 门户中配置您的应用程序以通过编辑清单来接收组声明:

{
  ...
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  ...
}

从 Azure AD 发出的 ID 令牌将在声明中包含当前用户的组 ID 列表groups,然后在 asp.net 核心应用程序中,您可以通过以下方式限制访问:

services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });

注意:来自文档

如果用户是超过超额限制的组的成员(SAML 令牌为 150,JWT 令牌为 200),则 Microsoft 标识平台不会在令牌中发出组声明。相反,它在令牌中包含一个超额声明,指示应用程序查询 Graph API 以检索用户的组成员资格。

推荐阅读