How to use Azure AD for authentication for multiple instances of same application

问题

I am new to Azure Active Directory authentication and I am trying to figuring out how we can implement our requirements for Azure Active Directory Authentication.

We have multiple instances of the same web application. i.e. There is one virtual directory and one database for each client. Users from one instance should not be allowed to access other instances of the application. Can we achieve this using a Single Active Directory with all users in it and a single Azure AD application or do we need to create Active Directory and a separate Azure AD application for each client? The restriction will be implemented through application code, but is there any way to group users so we can get some value in authentication response to identify which instance the user can access?

回答1:

1. We have multiple instances of the same web application. i.e. There is one virtual directory and one database for each client. Users from one instance should not be allowed to access other instances of the application. Can we achieve this using a Single Active Directory with all users in it?

Yes, you can do that. You can create Azure AD group for each database in Azure SQL Server and assign SQL role to the group. Then if you want to enable one user to access one database, you just need to add the user to the group. For more details, please refer to the document The steps are as below

1. Create an Azure AD administrator for Azure SQL server

Connect-AzAccount
Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName "Group-23" -ServerName "demo_server" -DisplayName "user name" -ObjectId "user object id"

2. Create Azure AD group for each database

   a. Use above Azure AD use login SQL server vai SSMS b. Create

   CREATE USER [GroupNmae] FROM EXTERNAL PROVIDER
   ALTER ROLE db_owner ADD MEMBER [GroupNmae]
   

3. Add users to AD group

Connect-AzureAD
Add-AzureADGroupMember -ObjectId <group id> -RefObjectId <user id>

2. The restriction will be implemented through application code, but is there any way to group users so we can get some value in authentication response to identify which instance the user can access?

According to my test, we can use the AzureAD token role claim to implement. We can create app role for every database in Azure SQL server by assigning app role for the AD group. For more details about app role, please refer to the document

The detailed steps are as below.

1. Create Azure AD application

2. Configure app permisions

3. Add app role

   • Select the application you want to define app roles in. Then select Manifest.

   • Edit the app manifest by locating the appRoles setting and adding all your Application Roles

   For example

"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",
"appRoles": [
 {
   "allowedMemberTypes": [
     "User"
   ],
   "displayName": "your databse name",
   "id": "<GUID>",
   "isEnabled": true,
   "description": "access database <your databse name>",
   "value": "your databse name"
 }
],
"availableToOtherTenants": false,

4. Code

   a. Create Stratup.cs

   public void ConfigureAuth(IAppBuilder app)
    {
   
        JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
   
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
   
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                Authority = authority,
                ClientId = appId,
                ClientSecret = appSecret,
                RedirectUri = redirectUri,
                PostLogoutRedirectUri = redirectUri,
                Scope = "openid profile offline_access https://database.windows.net//.default",
                ResponseType=OpenIdConnectResponseTypes.CodeIdToken,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                    RoleClaimType = "roles"
   
   
   
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived= OnAuthorizationCodeReceived
                }
            }
        );
   
    }
   
    private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification notification)
    {
        var idClient = var idClient = ConfidentialClientApplicationBuilder.Create(appId)
                              .WithAuthority(authority)
                              .WithRedirectUri(redirectUri)
                              .WithClientSecret(appSecret)
                              .Build();
   
   
        string[] scopes = "openid profile offline_access https://database.windows.net//.default".Split(' ');
        AuthenticationResult result = await idClient.AcquireTokenByAuthorizationCode(scopes, notification.Code).ExecuteAsync();
   
    }
   
    private Task OnAuthenticationFailed(AuthenticationFailedNotification<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
    {
        notification.HandleResponse();
        notification.Response.Redirect("/Error?message=" + notification.Exception.Message);
        return Task.FromResult(0);
    }
   

   b. Get role value

    ClaimsPrincipal.Current.FindFirst("roles").Value;
   

Regarding how to implement this, you can refer to the sample to get more details.

来源：https://stackoverflow.com/questions/59451347/how-to-use-azure-ad-for-authentication-for-multiple-instances-of-same-applicatio