Azure 在Asp.NETCore3.x中实现Active Directory组
Asp.net CORE 3.x: Azure Active Directory的身份验证工作正常。 现在,我想对所有路线的特定广告组实施授权。 如何实现此授权?使用Asp.NET核心一步一步地进行Azure 在Asp.NETCore3.x中实现Active Directory组,azure,asp.net-core,azure-active-directory,azure-web-app-service,Azure,Asp.net Core,Azure Active Directory,Azure Web App Service,Asp.net CORE 3.x: Azure Active Directory的身份验证工作正常。 现在,我想对所有路线的特定广告组实施授权。 如何实现此授权?使用Asp.NET核心一步一步地进行 public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfigurati
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
}).AddAzureAD(options => Configuration.Bind("AzureAD", options));
services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
services.AddControllers();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseHttpsRedirection();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute().RequireAuthorization();
//endpoints.MapControllers();
});
}
}
}
谢谢你的帮助!:) 您可以在Azure AD中使用
组声明
,通过编辑清单在Azure门户中配置您的应用程序以接收组声明:
{
...
"errorUrl": null,
"groupMembershipClaims": "SecurityGroup",
...
}
Azure AD发布的ID令牌将在组
声明中包含当前用户的组ID列表,然后在asp.net核心应用程序中,您可以通过以下方式限制访问:
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
注:发件人:
如果用户是超过超龄限制的组的成员(SAML令牌为150,JWT令牌为200),则Microsoft Identity Platform不会在令牌中发出组声明。相反,它在令牌中包含一个overage声明,指示应用程序查询Graph API以检索用户的组成员资格
您的问题不清楚。问题已更新