net Core Web API application.我已经为我的网络 api 应用程序配置了招摇。我正在从 swagger 进行身份验证和授权,我没有网络应用程序或 SPA。现在我想基于组进行授权。当我看到 JWT 令牌时,我看到了 hasgroups:true 而不是组 id。如果与用户关联的组超过 5 个,则会更改此设置。如果我的理解是错误的,请纠正我。所以我现在有团体:真的。所以要获得组,我需要调用图形 api。从图形 API 获取组后,我需要创建策略。这是我的理解,如果我走错了路,请纠正我。现在我有了下面的网络 api 应用程序。
启动.cs
public Startup(IConfiguration configuration)
{
Configuration = configuration;
azureActiveDirectoryOptions = Configuration.GetSection("AzureAd").Get<AzureActiveDirectoryOptions>();
swaggerUIOptions = Configuration.GetSection("Swagger").Get<SwaggerUIOptions>();
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services
.AddAuthentication(o =>
{
o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = azureActiveDirectoryOptions.Authority;
o.TokenValidationParameters = new TokenValidationParameters
{
ValidAudiences = new List<string>
{
azureActiveDirectoryOptions.AppIdUri,
azureActiveDirectoryOptions.ClientId
},
};
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "My API", Version = "v1" });
c.AddSecurityDefinition("oauth2", new OAuth2Scheme
{
Type = "oauth2",
Flow = "implicit",
AuthorizationUrl = swaggerUIOptions.AuthorizationUrl,
TokenUrl = swaggerUIOptions.TokenUrl
});
c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
{ "oauth2", new[] { "readAccess", "writeAccess" } }
});
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseSwagger();
app.UseSwaggerUI(c =>
{
c.OAuthClientId(swaggerUIOptions.ClientId);
c.OAuthClientSecret(swaggerUIOptions.ClientSecret);
c.OAuthRealm(azureActiveDirectoryOptions.ClientId);
c.OAuthAppName("Swagger");
c.OAuthAdditionalQueryStringParams(new { resource = azureActiveDirectoryOptions.ClientId });
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
});
app.UseAuthentication();
app.UseMvc();
}
}
我有如下 API。
[Authorize]
[Route("api/[controller]")]
[ApiController]
public class ValuesController : ControllerBase
{
private IHttpContextAccessor _httpContextAccessor;
public ValuesController(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
// GET api/values
[HttpGet]
public ActionResult<string> Get()
{
string owner = (User.FindFirst(ClaimTypes.Name))?.Value;
var accessToken = _httpContextAccessor.HttpContext.Request.Headers["Authorization"];
return owner;
}
}
现在登录后,我可以点击API。现在,我想根据要控制授权的组来拥有类似授权(管理员/用户(的东西。现在我遇到了麻烦,我应该在哪里调用图形 api 并获取组。有人可以帮助我理解这一点吗?任何帮助将不胜感激。谢谢
您正在使用哪个 protol 和哪个流程。
?是的,隐式流对组声明有限制。要使用Microsoft Graph获取当前用户的组,可以尝试以下方法:
-
使用代表授权获取允许 API 以用户身份调用 MS Graph 的访问令牌,这里是代码示例。
-
使用客户端凭据流在 Web API 中获取 Microsoft Graph 的访问令牌,此流使用应用程序的权限,没有用户上下文。此处的代码示例适用于使用 ADAL 的 Azure AD V1.0。下面是使用 MSAL 的 Azure AD V2.0 的代码示例。