問(wèn)題描述
我正在尋找 ASP.NET MVC 應(yīng)用程序的幫助.它對(duì)單租戶(hù) Azure Active Directory 用戶(hù)進(jìn)行身份驗(yàn)證,并可以使用 Active Directory 安全組授權(quán)用戶(hù).即,如果用戶(hù)是該安全組的一部分,則只允許訪問(wèn)網(wǎng)站,否則訪問(wèn)被拒絕.
Visual Studio 本身可以使用向?qū)瓿?Active Directory 身份驗(yàn)證,但不確定如何通過(guò) AAD 安全組執(zhí)行授權(quán).
附:我是 ASP.NET 安全新手
當(dāng)用戶(hù)登錄應(yīng)用程序時(shí),來(lái)自 Azure AD 的傳入令牌將包含 組聲明,一旦你適當(dāng)?shù)匦薷牧藨?yīng)用程序的清單 (有關(guān)步驟,請(qǐng)參閱下面的示例應(yīng)用程序鏈接).然后,您的應(yīng)用程序代碼可以讀取這些聲明并根據(jù)它們做出授權(quán)決策.
這是一個(gè)基于組聲明進(jìn)行授權(quán)的示例應(yīng)用程序 -
實(shí)施授權(quán)邏輯時(shí)要考慮的其他信息
您已經(jīng)特別詢(xún)問(wèn)了有關(guān)組的問(wèn)題,但您還應(yīng)該考慮使用應(yīng)用程序角色,它可以幫助您實(shí)現(xiàn)基于角色的授權(quán)邏輯.查看 Microsoft 文檔鏈接
I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.
Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.
P.S. I am new to ASP.NET security
解決方案When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.
Here is a sample application that does authorization based on group claims -
Authorization in a web app using Azure AD groups & group claims
Group claims
ADDITIONAL INFORMATION TO CONSIDER WHEN IMPLEMENTING AUTHORIZATION LOGIC
You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC
Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.
In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens
這篇關(guān)于asp.net mvc 和 azure 基于活動(dòng)目錄安全組的授權(quán)的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!
【網(wǎng)站聲明】本站部分內(nèi)容來(lái)源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問(wèn)題,如果有圖片或者內(nèi)容侵犯了您的權(quán)益,請(qǐng)聯(lián)系我們刪除處理,感謝您的支持!