Azure AD B2C - Role management

后端 未结 1 399
野性不改
野性不改 2020-11-28 08:06

I have an Asp.NET MVC Application connected with Azure AD B2C.

In the Administrator settings I\'ve created an Administrators Group:

In my code I wou

相关标签:
1条回答
  • 2020-11-28 08:41

    Azure AD B2C does not yet include Group claims in the token it sends to the application thus you can't follow the same approach as you outlined with Azure AD (which does include group claims in the token).

    You can support this feature ask by voting for it in the Azure AD B2C feedback forum: Get user membership groups in the claims with Azure AD B2C

    That being said, you can do some extra work in this application to have it manually retrieve these claims the group claims and inject them into the token.

    First, register a separate application that'll call the Microsoft Graph to retrieve the group claims.

    1. Go to https://apps.dev.microsoft.com
    2. Create an app with Application Permissions : Directory.Read.All.
    3. Add an application secret by clicking on Generate new password
    4. Add a Platform and select Web and give it any redirect URI, (e.g. https://yourtenant.onmicrosoft.com/groups)
    5. Consent to this application by navigating to: https://login.microsoftonline.com/YOUR_TENANT.onmicrosoft.com/adminconsent?client_id=YOUR_CLIENT_ID&state=12345&redirect_uri=YOUR_REDIRECT_URI

    Then, you'll need to add code the following code inside of the OnAuthorizationCodeReceived handler, right after redeeming the code:

    var authority = $"https://login.microsoftonline.com/{Tenant}";
    var graphCca = new ConfidentialClientApplication(GraphClientId, authority, GraphRedirectUri, new ClientCredential(GraphClientSecret), userTokenCache, null);
    string[] scopes = new string[] { "https://graph.microsoft.com/.default" };
    
    try
    {
        AuthenticationResult authenticationResult = await graphCca.AcquireTokenForClientAsync(scopes);
        string token = authenticationResult.AccessToken;
    
        using (var client = new HttpClient())
        {
            string requestUrl = $"https://graph.microsoft.com/v1.0/users/{signedInUserID}/memberOf?$select=displayName";
    
            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
    
            HttpResponseMessage response = await client.SendAsync(request);
            var responseString = await response.Content.ReadAsStringAsync();
    
            var json = JObject.Parse(responseString);
    
            foreach (var group in json["value"])
                notification.AuthenticationTicket.Identity.AddClaim(new System.Security.Claims.Claim(System.Security.Claims.ClaimTypes.Role, group["displayName"].ToString(), System.Security.Claims.ClaimValueTypes.String, "Graph"));
    
            //TODO: Handle paging. 
            // https://developer.microsoft.com/en-us/graph/docs/concepts/paging
            // If the user is a member of more than 100 groups, 
            // you'll need to retrieve the next page of results.
        }
    } catch (Exception ex)
    {
        //TODO: Handle
        throw;
    }
    
    0 讨论(0)
提交回复
热议问题