問題描述

我正在尋找 ASP.NET MVC 應用程序的幫助.它對單租戶 Azure Active Directory 用戶進行身份驗證，并可以使用 Active Directory 安全組授權用戶.即，如果用戶是該安全組的一部分，則只允許訪問網站，否則訪問被拒絕.

Visual Studio 本身可以使用向導完成 Active Directory 身份驗證，但不確定如何通過 AAD 安全組執行授權.

附:我是 ASP.NET 安全新手

當用戶登錄應用程序時，來自 Azure AD 的傳入令牌將包含 組聲明，一旦你適當地修改了應用程序的清單 (有關步驟，請參閱下面的示例應用程序鏈接).然后，您的應用程序代碼可以讀取這些聲明并根據它們做出授權決策.

這是一個基于組聲明進行授權的示例應用程序 -

實施授權邏輯時要考慮的其他信息

1. 您已經特別詢問了有關組的問題，但您還應該考慮使用應用程序角色，它可以幫助您實現基于角色的授權邏輯.查看 Microsoft 文檔鏈接

   I am looking help for ASP.NET MVC application. Which authenticate single tenant azure active directory users and can authorize users using active directory security group. i.e. if user is part of that security group then only allow access to website otherwise access denied.

   Active directory authentication can be done by visual studio itself using wizard but not sure how to perform authorization through AAD security group.

   P.S. I am new to ASP.NET security

   解決方案

   When a user signs into the application, incoming token from Azure AD will contain group claims, once you modify the application's manifest appropriately (see the sample application link below for steps). Your application code can then read these claims and make authorization decisions based on them.

   Here is a sample application that does authorization based on group claims -

   Authorization in a web app using Azure AD groups & group claims

   Group claims

   ADDITIONAL INFORMATION TO CONSIDER WHEN IMPLEMENTING AUTHORIZATION LOGIC

   1. You have specifically asked about Groups, but you should also consider using Application Roles, which can help you implement a Role based authorization logic. Look at Microsoft documentation link Application Roles. Here is a link to another similar question where I have provided a little more detailed information on both Application Roles and Groups and links to sample code for both. Azure Active Directory Integration with Custom RBAC

      Once you understand the usage/purpose of application roles and groups, it's completely possible for you to decide that you want to base your authorization logic on a combination of Roles and Groups information for the signed in user instead of just one.

   2. In case when a user is part of many groups (6 or more AFAIK), Azure AD token doesn't send across the "groups" directly as part of token, instead it sends an overage indicator and then you can query the groups in a separate call. Take a look at the token related documentation here - Claims in id_tokens

   這篇關于asp.net mvc 和 azure 基于活動目錄安全組的授權的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！

   【網站聲明】本站部分內容來源于互聯網,旨在幫助大家更快的解決問題，如果有圖片或者內容侵犯了您的權益，請聯系我們刪除處理，感謝您的支持！