发表新帖
发表新帖

How to use Azure AD to generate tokens with role definition

前端 未结
关注
1 1510
梦毁少年i
梦毁少年i 2021-01-21 10:54

I have this scenario: I have an App Service, I set its authorization as Allow Anonymous Request and the Authentication Provider as Active Directory setting an Azure AD App.

相关标签:
1条回答
  • 耶瑟儿~
    2021-01-21 11:35

    If your scenario is about assigning application role the user/group . Once a user is assigned to an application role (either through a direct assignment or via an assignment to a group that the user is member of), Azure AD includes the roles claim in the token when the user signs in to the application. The application can then authorize the user using constructs like IsInRole(“reader”) or the [Authorize (Roles=”reader”)] of .net. You should make :

    "allowedMemberTypes": [
    "User"
  ],

    Then you don't need to use client credential flow . And here is an article about how to config that , also refer to code sample here .

    If your scenario is about allowing web applications and web APIs that act as clients and access other resource APIs, to request for application roles of resource API to be assigned to them(using client credential flow). The role gets assigned to the client app when it is installed by the Azure AD customers. You could refer to below steps to achieve that :

    1. create a new ad application in classic azure ad portal :

    2. Set the sign-on url and app id url .

    3. On the configure tab scroll down to the section called ‘permissions to other application’. Here, add a new permission by first selecting the API for which the client application is requesting an application role, and then selecting the desired application role in the Application Permissions drop down. In my API app(name is testRole) , i have set the roles like :

    Then select application role :

    1. Then we could acquire the token to let my web app access the “testRole” API using client credential flow :

      Post https://login.microsoftonline.com/YourTenant/oauth2/token

      Content-Type: application/x-www-form-urlencoded

      resource=http%3A%2F%2Ftestbasic1.onmicrosoft.com%2Ftestrole&client_id=&client_secret=&grant_type=client_credentials

    2. Then the access token will include the app role :

    You could read more about Roles based access control in cloud applications using Azure AD from here

    EDIT

    To set permission to other application in new portal: 1. click azure ad icon in left panel , select the web app , click the Required permissions , click Add, Select an API , then search the API you want to access :

    1. Then select the application permissions you want :
    0 讨论(0)
 看不清?
提交回复
热议问题