Azure AD B2C – 角色管理
我有一个与Azure AD B2C连接的Asp.NET MVC应用程序。
在管理员设置中,我创建了一个管理员组:
在我的代码中我想使用[Authorize(Roles = "Administrator")]
使用常规的Azure Active Directory,它很容易添加(只需3行代码)。 但对于Azure AD B2C,我无法在Web中找到任何有用的教程或示例。 也许你可以告诉我我需要修改什么。
这是我的Startup.Auth.cs的ConfigureAuth方法
public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { // Generate the metadata address using the tenant and policy information MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy), // These are standard OpenID Connect parameters, with values pulled from web.config ClientId = ClientId, RedirectUri = RedirectUri, PostLogoutRedirectUri = RedirectUri, // Specify the callbacks for each type of notifications Notifications = new OpenIdConnectAuthenticationNotifications { RedirectToIdentityProvider = OnRedirectToIdentityProvider, AuthorizationCodeReceived = OnAuthorizationCodeReceived, AuthenticationFailed = OnAuthenticationFailed, }, // Specify the claims to validate TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" }, // Specify the scope by appending all of the scopes requested into one string (separated by a blank space) Scope = $"openid profile offline_access {ReadTasksScope} {WriteTasksScope}" } ); }
Azure AD B2C尚未在其发送给应用程序的令牌中包含组声明,因此您无法遵循与Azure AD(在令牌中包含组声明)中概述的相同方法。
您可以通过在Azure AD B2C反馈论坛中投票来支持此function: 使用Azure AD B2C获取声明中的用户成员资格组
话虽这么说, 你可以在这个应用程序中做一些额外的工作,让它手动检索组声称的这些声明并将它们注入到令牌中 。
首先, 注册一个单独的应用程序,该应用程序将调用Microsoft Graph来检索组声明 。
- 转到https://apps.dev.microsoft.com
- 使用应用程序权限创建应用程序 : Directory.Read.All 。
- 单击生成新密码添加应用程序密钥
- 添加平台并选择Web并为其指定任何重定向URI(例如
https://yourtenant.onmicrosoft.com/groups) - 通过导航至
https://login.microsoftonline.com/YOUR_TENANT.onmicrosoft.com/adminconsent?client_id=YOUR_CLIENT_ID&state=12345&redirect_uri=YOUR_REDIRECT_URI同意此应用程序
然后,您需要 在兑换代码后立即 在OnAuthorizationCodeReceived处理程序中添加以下 代码 :
var authority = $"https://login.microsoftonline.com/{Tenant}"; var graphCca = new ConfidentialClientApplication(GraphClientId, authority, GraphRedirectUri, new ClientCredential(GraphClientSecret), userTokenCache, null); string[] scopes = new string[] { "https://graph.microsoft.com/.default" }; try { AuthenticationResult authenticationResult = await graphCca.AcquireTokenForClientAsync(scopes); string token = authenticationResult.AccessToken; using (var client = new HttpClient()) { string requestUrl = $"https://graph.microsoft.com/v1.0/users/{signedInUserID}/memberOf?$select=displayName"; HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); HttpResponseMessage response = await client.SendAsync(request); var responseString = await response.Content.ReadAsStringAsync(); var json = JObject.Parse(responseString); foreach (var group in json["value"]) notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph")); //TODO: Handle paging. // https://developer.microsoft.com/en-us/graph/docs/concepts/paging // If the user is a member of more than 100 groups, // you'll need to retrieve the next page of results. } } catch (Exception ex) { //TODO: Handle throw; }