如何使用 Azure AD 生成具有角色定义的令牌

时间:2023-01-01
本文介绍了如何使用 Azure AD 生成具有角色定义的令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我有这样的场景:我有一个应用服务,我将其授权设置为允许匿名请求,身份验证提供程序设置为 Active Directory,设置了 Azure AD 应用程序.

在这个 AD 应用程序中,我在它的清单中加入了一些像这样的角色:

"appRoles": [{允许的成员类型":[用户"],"displayName": "审批人","id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",已启用":真,"description": "审批人可以将文档标记为已批准",价值":批准人"},

发布到 URL

  • 设置登录网址和应用 ID 网址.

  • 在配置选项卡上向下滚动到名为对其他应用程序的权限"的部分.在这里,通过首先选择客户端应用程序为其请求应用程序角色的 API,然后在应用程序权限下拉列表中选择所需的应用程序角色来添加新权限.在我的 API 应用程序(名称是 testRole)中,我设置了如下角色:

  • 然后选择应用角色:

    1. 然后我们可以获取令牌,让我的网络应用程序使用客户端凭据流访问testRole"API:

      发布

    您可以从

    1. 然后选择您想要的应用程序权限:

    I have this scenario: I have an App Service, I set its authorization as Allow Anonymous Request and the Authentication Provider as Active Directory setting an Azure AD App.

    In this AD App I put in its manifest some roles like this one:

    "appRoles": [
        {
          "allowedMemberTypes": [
            "User"
          ],
          "displayName": "Approver",
          "id": "8f29f99b-5c77-4fba-a310-4a5c0574e8ff",
          "isEnabled": true,
          "description": "Approvers can mark documents as approved",
          "value": "approver"
        },
    

    Posting to the URL https://login.windows.net//oauth2/token with my AD App ID I receive a token and what I expected to was to find the role in this token. It doesn't work like this and I couldn't find out the reason.

    What I want is to generate the token using Azure and in my API, to set an [Authorize(Role="approver")] to filter controllers accessed by different clients using the same tenant.

    解决方案

    If your scenario is about assigning application role the user/group . Once a user is assigned to an application role (either through a direct assignment or via an assignment to a group that the user is member of), Azure AD includes the roles claim in the token when the user signs in to the application. The application can then authorize the user using constructs like IsInRole("reader") or the [Authorize (Roles="reader")] of .net. You should make :

    "allowedMemberTypes": [
        "User"
      ],
    

    Then you don't need to use client credential flow . And here is an article about how to config that , also refer to code sample here .

    If your scenario is about allowing web applications and web APIs that act as clients and access other resource APIs, to request for application roles of resource API to be assigned to them(using client credential flow). The role gets assigned to the client app when it is installed by the Azure AD customers. You could refer to below steps to achieve that :

    1. create a new ad application in classic azure ad portal :
    2. Set the sign-on url and app id url .

    3. On the configure tab scroll down to the section called ‘permissions to other application’. Here, add a new permission by first selecting the API for which the client application is requesting an application role, and then selecting the desired application role in the Application Permissions drop down. In my API app(name is testRole) , i have set the roles like :

    Then select application role :

    1. Then we could acquire the token to let my web app access the "testRole" API using client credential flow :

      Post https://login.microsoftonline.com/YourTenant/oauth2/token

      Content-Type: application/x-www-form-urlencoded

      resource=http%3A%2F%2Ftestbasic1.onmicrosoft.com%2Ftestrole&client_id=&client_secret=&grant_type=client_credentials

    2. Then the access token will include the app role :

    You could read more about Roles based access control in cloud applications using Azure AD from here

    EDIT

    To set permission to other application in new portal: 1. click azure ad icon in left panel , select the web app , click the Required permissions , click Add, Select an API , then search the API you want to access :

    1. Then select the application permissions you want :

    这篇关于如何使用 Azure AD 生成具有角色定义的令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

    上一篇:Microsoft Exchange:如何解析可分辨名称 下一篇:Active Directory 和 PrincipalPermission

    相关文章

    最新文章