分享程序员开发的那些事...
更新时间:2023-02-07 18:04:35
我想了解如何定义自定义用户属性和
角色 Azure AD在身份验证后与我们的
应用程序共享属性和角色。这是我们的Web
应用程序需要提供访问控制(基于用户ID和角色)
而不在本地定义角色的原因。
I would like to understand how to define custom user attributes and roles for "Azure AD" to share the attributes and roles with our application upon authentication. This is required for our web application to provide Access Control ( based on user id and role) without defining roles locally.
您需要使用Azure AD查看与应用程序角色相关的功能,以实现自定义RBAC。它最有可能为您提供所需的内容。
You need to look at the Application Roles related functionality with Azure AD to implement your custom RBAC. It should most probably provide you what you're looking for.
我注意到,有些情况下人们选择根据用户所属的组来执行一些授权逻辑。这仅仅是信息,而不是您需要做的事情。
On a side note, I've seen cases where people chose to do some authorization logic based on which groups the users belonged to. This is just information and not something you need to do.
在此答案中,我将共享与角色和组相关的示例,但是绝对要先查看应用程序角色,一旦您清楚地理解它们,就可以决定使用适用于您的授权策略的应用程序角色,组或角色和组的组合(非常可能)。
I'm sharing samples related to both, Roles and Groups in this answer, but definitely look at Application Roles first and once you understand them clearly, you can decide to use Application Roles, Groups or a combination of both Roles and Groups (very possible) for your Authorization strategy.
Microsoft文档-应用程序角色
目的-这些角色是在组织机构正在开发的应用程序的应用程序清单中定义的,即在您的Azure Active Directory中注册。这些角色非常适合您的应用程序,可以在应用程序的代码中使用,以为经过身份验证的用户实现授权逻辑。
Purpose - These roles are defined in the Application Manifest for an application that your organization is developing and that is registered in your Azure Active Directory. These roles are very specific to your application and can be used in application's code to implement Authorization logic for the authenticated users.
示例应用程序(使用此概念并执行您想要的操作)-
Sample Application (that uses this concept and does what you're looking for) -
使用Azure AD应用程序角色&在Web应用程序中进行授权角色声明
快速说明
1)注册后使用Azure AD的应用程序,可以通过在Azure AD中编辑应用程序清单(JSON)来定义自定义角色(特定于您的应用程序)。
以下是示例应用程序角色定义的JSON示例:
1) Once you register your application with Azure AD, you can define custom roles (specific to your application) by editing the application manifest (JSON) in Azure AD.
Here's a sample JSON of what application role definition would look like:
"appRoles":
[
{
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"value": "SurveyCreator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Administrators can manage the Surveys in their tenant",
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"value": "SurveyAdmin"
}
]
2)您将能够通过Azure门户将这些角色分配给用户/组/应用程序,或者以编程方式。 (您可以控制角色的允许成员类型)
2) You will be able to assign these roles to Users/Groups/applications through Azure Portal or programmatically. (you could control the allowed member types for roles)
3)现在,当最终用户登录到您的应用程序时,传入的Azure AD令牌将为您提供角色声明(基于分配给用户的角色),您可以在应用程序中做出授权决定。
3) Now when the end users sign in to your application, the incoming Azure AD token will provide you a collection of role claims (based on whatever roles are assigned to the user) and you can take authorization decisions in your application.
if (context.User.HasClaim(ClaimTypes.Role, "Admin")) { ... }
组可以有多个用户或其他组作为成员。再次可以通过Azure门户或通过编程来管理组。
Groups can have multiple users or other groups as members. Again management of groups is possible through Azure Portal or programmatically.
注意:组完全独立于您的应用程序,即Azure AD组可以并且确实存在用于将成员分组的目的,即使没有您的应用程序也是如此。另一方面,应用程序角色是特定于您的应用程序的,除了您的应用程序之外,它们对任何人都没有多大意义。
NOTE: Groups are totally independent of your application, i.e. Azure AD groups can and do exist to serve a purpose of grouping members even without your application. Application Roles on the other hand are very specific to your application, they don't mean much to anyone except your application.
示例应用程序根据群组