我們有在MEAN堆棧中開發的應用程序。我們使用adal-agular庫進行天藍色廣告認證。按照documentation and sampleAzure AD:如何獲取令牌中的組信息?
Adal.js使用OAuth隱式流與Azure AD進行通信。您必須爲您的應用程序啓用隱式流程。
然而,當我們使隱式流動,天青AD 不包括在令牌中的組信息。這個問題已經討論了詳細here和@vibronet
問題
Azure的AD功能已幾乎每天不斷變化的證實,因此有上述答案是否仍然有效?我們是否仍然需要啓用應用程序的隱式流程?我想在令牌組信息(我不想使用圖形API作爲一個解決方案。)
另一個原因,我問這個問題,因爲我禁用隱含的流量和用戶仍然能夠訪問應用。不過,我仍然看不到組中的信息。
不可能沒有調用從BE圖:
這裏是討論:https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239
如果hasgroups要求在id_token不存在 - 從id_token獲得團體。 如果存在 - 調用在Azure AD 2.0端點圖形
實施例:確實發出安全組隱式流動
using Microsoft.Identity.Client;
...
//Obtaining the Access Token By Id Token...
var redirectUri = "http://localhost";
var authority = @"https://login.microsoftonline.com/common/v2.0";
var clientId = "00000000-0000-0000-0000-000000000000";
var userObjectId = "00000000-0000-0000-0000-000000000000"; //from id_token
var idToken = "ey-- ID Token from the JS Side";
var appKey = "Client Secret here";
var cc = new ClientCredential(appKey);
var cca = new ConfidentialClientApplication(clientId, authority, redirectUri, cc, null, null);
var ua = new UserAssertion(idToken, "urn:ietf:params:oauth:grant-type:jwt-bearer");
var authResult = await cca.AcquireTokenOnBehalfOfAsync(new[] { "User.Read", "Group.Read.All" }, ua); //Make sure - here is one user consented scope (shuld be requested from the FronEnd side) and one - admin consented
var accessToken = authResult.AccessToken;
// And then calling the MS Graph...
var requestUrl = $"https://graph.microsoft.com/v1.0/users/{userObjectId}/getMemberGroups";
// Prepare and Make the POST request
HttpResponseMessage response;
using (var client = new HttpClient())
{
using (var request = new HttpRequestMessage(HttpMethod.Post, requestUrl))
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var content = new StringContent("{\"securityEnabledOnly\": \"true\"}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
request.Content = content;
response = await client.SendAsync(request);
}
}
var groupObjectIds = new List<string>();
// Endpoint returns JSON with an array of Group ObjectIDs
if (response.IsSuccessStatusCode)
{
var responseContent = await response.Content.ReadAsStringAsync();
var groupsResult = Json.Decode(responseContent).value;
foreach (string groupObjectId in groupsResult)
groupObjectIds.Add(groupObjectId);
}
return groupObjectIds;
天青AAD JWT。 在申請登記清單,設定"groupMembershipClaims": "SecurityGroup",
然後在您的服務器:
var groups = new List<string>();
ClaimsPrincipal.Current.Claims.Where(t => t.Type == "groups")
.ForEach(g => groups.Add(g.Value));
不需要GraphApi
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims
你能在應用程序清單組索賠?爲了避免使用GraphAPI,您如何保證您的用戶永遠不會擁有比標記中允許的最大值更多的組? –
假設這也是你:https://social.msdn.microsoft.com/Forums/en-US/2b49109b-b98a-4b54-b644-43d623a7d36a/azure-ad-jwt-token-is-missing-group-information ?forum = WindowsAzureAD,我看你有。你有沒有看過原始的'id_token'(例如jwt.io等)? –
@PhilippeSignoret是的,那就是我。不知道如果azure從未在令牌中包含這些信息,jwt.io會如何幫助我。此外,我們正在使用服務器上的「passport-azure-ad」來分析和驗證令牌 – LP13