問題描述

我正在尋找 ASP.NET MVC 應(yīng)用程序的幫助.它對單租戶 Azure Active Directory 用戶進(jìn)行身份驗(yàn)證，并可以使用 Active Directory 安全組授權(quán)用戶.即，如果用戶是該安全組的一部分，則只允許訪問網(wǎng)站，否則訪問被拒絕.

Visual Studio 本身可以使用向?qū)瓿?Active Directory 身份驗(yàn)證，但不確定如何通過 AAD 安全組執(zhí)行授權(quán).

附:我是 ASP.NET 安全新手

當(dāng)用戶登錄應(yīng)用程序時，來自 Azure AD 的傳入令牌將包含 組聲明，一旦你適當(dāng)?shù)匦薷牧藨?yīng)用程序的清單 (有關(guān)步驟，請參閱下面的示例應(yīng)用程序鏈接).然后，您的應(yīng)用程序代碼可以讀取這些聲明并根據(jù)它們做出授權(quán)決策.

這是一個基于組聲明進(jìn)行授權(quán)的示例應(yīng)用程序 -

實(shí)施授權(quán)邏輯時要考慮的其他信息

1. 您已經(jīng)特別詢問了有關(guān)組的問題，但您還應(yīng)該考慮使用應(yīng)用程序角色，它可以幫助您實(shí)現(xiàn)基于角色的授權(quán)邏輯.查看 Microsoft 文檔鏈接

   I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.

   Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.

   P.S. I am new to ASP.NET security

   解決方案

   When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.

   Here is a sample application that does authorization based on group claims -

   Authorization in a web app using Azure AD groups & group claims

   Group claims

   ADDITIONAL INFORMATION TO CONSIDER WHEN IMPLEMENTING AUTHORIZATION LOGIC

   1. You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC

      Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.

   2. In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens

   這篇關(guān)于asp.net mvc 和 azure 基于活動目錄安全組的授權(quán)的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！

   【網(wǎng)站聲明】本站部分內(nèi)容來源于互聯(lián)網(wǎng),旨在幫助大家更快的解決問題，如果有圖片或者內(nèi)容侵犯了您的權(quán)益，請聯(lián)系我們刪除處理，感謝您的支持！