问题描述
我们正在开发的Azure多租户SaaS产品,它有一个AngularJS前端和Web API后端。我们用于身份验证的Azure AD并与ADAL JS迷上它(使用的OAuth2隐性补助金)。作为一个多租户应用程序,我们让客户对自己的Azure AD认证(这可能会或可能不会被连接到一个片premise AD)。
We are developing a multi-tenant SaaS product in Azure which has an AngularJS front-end and Web API back-end. We use Azure AD for authentication and have hooked it up with ADAL JS (using the OAuth2 implicit grant). Being a multi-tenant application, we allow customers to authenticate against their own Azure AD (which may or may not be connected to an on-premise AD).
到目前为止,这一切都很好地工作。 ADAL JS把用户带到Azure的登录页面,一旦用户通过验证,OAuth2用户令牌发出。这JWT令牌,然后用所有的API调用作为承载令牌,我们有我们从Azure的传入声明映射到我们的申请要求自己的要求转化过程中发送。
So far this all works nicely. ADAL JS takes the user to the Azure login page and once the user has authenticated, an OAuth2 token is issued. This JWT token is then sent with all API calls as a bearer token where we have our own claims transformation process for mapping the incoming claims from Azure to our application claims.
而不是指定索赔改造过程中的个人用户,我们试图通过AD组来做到这一点。这使得我们的客户能够安全组在其广告,然后我们的应用程序将使用映射到正确的申请要求。
Rather than specify individual users in the claims transformation process, we try to do it by AD groups. This allows our customers to have security groups in their AD and then our application will use that to map to the correct application claims.
JWT的原因,我们收到不包含组
属性,尽管被设置 groupMembershipClaims
到 SecurityGroup
在AAD应用程序清单。我在的那个
The JWT token we receive does not contain a groups
property, despite having set groupMembershipClaims
to SecurityGroup
in the AAD application manifest. I have since read in this tweet from Vittorio that
隐含的拨款将不会发送这些说法,因为它返回的令牌查询字符串 - 它很容易吹过去的最大长度
经进一步调查,我也发现这个计算器的答案,说
Upon further investigation, I also found this StackOverflow answer from Vittorio that says
我验证和隐含的补助情况下,你总是会接收组通过超龄索赔。请参考https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - 它会告诉你如何处理超龄索赔检索集团
我来看看JWT令牌,它不包含任何超额索赔(由 _claim_names
和 _claim_sources
)。我绝对两组在我的Azure AD成员。
I had a look at the JWT token and it does not include any overage claim (identified by _claim_names
and _claim_sources
). I'm definitely a member of two groups in my Azure AD.
我现在也似乎有一些关于它是否有可能获得组信息两个相互矛盾的陈述(不论直接或间接)的隐含授权令牌。
I also now appear to have two conflicting statements about whether it is possible to get group information (whether directly or indirectly) in the implicit grant token.
问题1:我应该得到超龄声称我可以用它来获取组信息?如果是这样,我需要尽一切努力确保这种说法被发送到我吗?
我是否可以得到一个超龄索赔的图形API,还是我必须手动工艺的链接来获取用户的组链接到用户,我还是有点不确定我如何与图形API进行身份验证。
Whether I can get an overage claim with a link to the user in the graph API or whether I have to manually craft the link to get the user's groups, I'm still a little unsure how I authenticate with the graph API.
我需要接收与承载令牌(从ADAL JS)的请求后联系从后端的图形API
I need to contact the graph API from the back-end after receiving a request with a bearer token (from ADAL JS).
问2:我可以发送相同的承载令牌的图形API来读取用户的目录信息?或者我需要直接从我的应用程序的图形API租户应用程序,而不是用户的上下文中进行验证?
推荐答案
道歉这里的混乱。我会仔细检查关于超龄的语句,但在任何情况下 - 快速疏通你的缘故,我们假设您需要手动拿到团体没有超龄索赔的援助。你不能再用你发送到Web API令牌。该令牌可以被限制您的应用程序,以及任何其他收件人(或应该)拒绝。好消息是,通过它你的后端可以请求范围图的一个新的令牌流很容易实现。请参见 - 细节你的情况是有点不同(您的Web API有观众==您的应用程序的客户端ID),但是拓扑结构和code /参与通话是完全一样的。 HTH!诉
apologies for the confusion here. I will double check the statement about the overage, but in any case - for the sake of unblocking you quickly, let's assume that you need to get the groups manually without the aid of the overage claim. You cannot reuse the token you send to your Web API. That token is scoped to your app, and any other recipient will (or should) reject it. The good news is that the flow through which your backend can request a new token scoped for the Graph is easy to implement. See https://github.com/AzureADSamples/WebAPI-OnBehalfOf-DotNet - the details in your case are a be a bit different (your web API has the audience == clientid of your app) but the topology and the code/calls involved are exactly the same. HTH! V.
这篇关于集团Azure的AD和隐含的OAuth2格兰特ADAL JS索赔的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!