如何区分在通过Azure AD B2C登录后的“本地”和“社交”用户类型?

huangapple go评论74阅读模式
英文:

How to differentiate between 'local' and 'social' user types after login via Azure AD B2C?

问题

我有一个使用Azure AD B2C进行身份验证的Node.js/Express应用程序。

目前,有两种类型的用户可以登录:

  • 本地帐户 - Azure AD B2C租户中的“EXTERNAL”用户
  • 社交帐户 - 来自单个Azure AD租户的“INTERNAL”用户

期望的行为

我希望根据登录的用户类型显示不同的前端用户界面元素。

  • 本地帐户将能够调用与“EXTERNAL”用户相关的端点
  • 社交帐户将能够调用与“INTERNAL”用户相关的端点

区分谁登录的推荐方法是什么?

我可以看到从msal-node的acquireTokenByCode()方法返回的authToken对象根据登录的用户类型而异。

我应该使用authToken对象的哪个属性来区分用户类型?

如果是这样,哪个属性最适合使用?

为了能够相应地执行UI操作,是否可以将这个值存储为浏览器中的cookie(例如 'user_type': 'EXTERNAL''user_type': 'INTERNAL'),使用类似js-cookie的东西?

以下是登录后返回的“authToken”对象的已编辑版本。

除非另有说明,不同用户类型的所有值都相同。

值得注意的是,在“社交帐户”登录后,这两个属性只出现在authToken中:

  • idp_access_token
  • idp
{
    "authority": "https://<my-azure-ad-b2c-tenant>.b2clogin.com/<my-azure-ad-b2c-tenant>.onmicrosoft.com/b2c_1_signin1/",
    "uniqueId": "*******", // <-- 每个用户的对象ID,在Azure AD B2C租户中表示不同
    "tenantId": "",
    "scopes":
    [
        "https://<my-azure-ad-b2c-tenant>.onmicrosoft.com/my-web-app-api/tasks.write", // <-- 这些是授予我的Web应用程序的API权限
        "https://<my-azure-ad-b2c-tenant>.onmicrosoft.com/my-web-app-api/tasks.read"  // <-- 这些是授予我的Web应用程序的API权限
    ],
    "account":
    {
        "homeAccountId": "***uniqueId***-b2c_1_signin1.<my-azure-ad-b2c-tenant的目录ID>",
        "environment": "<my-azure-ad-b2c-tenant>.b2clogin.com",
        "tenantId": "",
        "username": "<user-email-address>", // 每个用户不同
        "localAccountId": "***uniqueId***", // 每个用户不同
        "idTokenClaims":
        {
            "exp": 1673069519,
            "nbf": 1673065919,
            "ver": "1.0",
            "iss": "https://<my-azure-ad-b2c-tenant>.b2clogin.com/<my-azure-ad-b2c-tenant的目录ID>/v2.0/",
            "sub": "***uniqueId***", // 每个用户不同
            "aud": "<我的Web应用程序的应用程序/客户端ID>",
            "iat": 1673065919,
            "auth_time": 1673065918,
            "idp_access_token": "********", // 仅在来自社交登录的authToken中存在
            "idp": "https://login.microsoftonline.com/<my-azure-ad-tenant的目录ID>/v2.0", // 仅在来自社交登录的authToken中存在
            "emails":
            [
                "<user-email-address>" // 每个用户不同
            ],
            "tfp": "B2C_1_signin1",
            "at_hash": "*******" // 每个用户不同
        }
    },
    "idToken": "*******", // 每个用户不同
    "idTokenClaims":
    {
        "exp": 1673069519,
        "nbf": 1673065919,
        "ver": "1.0",
        "iss": "https://<my-azure-ad-b2c-tenant>.b2clogin.com/<my-azure-ad-b2c-tenant的目录ID>/v2.0/",
        "sub": "***uniqueId***", // 每个用户不同
        "aud": "<我的Web应用程序的应用程序/客户端ID>",
        "iat": 1673065919,
        "auth_time": 1673065918,
        "idp_access_token": "********", // 仅在来自社交登录的authToken中存在
        "idp": "https://login.microsoftonline.com/<my-azure-ad-tenant的目录ID>/v2.0", // 仅在来自社交登录的authToken中存在
        "emails":
        [
            "<user-email-address>" // 每个用户不同
        ],
        "tfp": "B2C_1_signin1", // 每个用户不同
        "at_hash": "*******" // 每个用户不同
    },
    "accessToken": "*******", // 每个用户不同
    "fromCache": false,
    "expiresOn": "2023-01-07T05:31:57.000Z",
    "correlationId": "*******", // 每个用户不同
    "requestId": "",
    "extExpiresOn": "2023-01-07T05:31:57.000Z",
    "familyId": "",
    "tokenType": "Bearer",
    "state": "",
    "cloudGraphHostName": "",
    "msGraphHost": "",
    "fromNativeBroker": false
}

供参考

供参考,以下是我执行以下步骤的步骤:

  • 启用来自单个Azure AD租户的登录
  • 允许Azure AD用户能够调用其自己租户中的Graph API

我通过以下步骤将单个Azure AD租户添加为身份提供程序:

Azure门户 > Azure AD B2C租户

英文:

I have a Node.js/Express application that uses Azure AD B2C for authentication.

Currently, two types of users can login:

  • Local accounts - EXTERNAL users in the Azure AD B2C tenant
  • Social accounts - INTERNAL users from a single Azure AD tenant

Desired Behaviour

I want to display different frontend user interface elements based on the type of user that has logged in.

  • Local accounts will be able to call endpoints relevant to EXTERNAL users
  • Social accounts will be able to call endpoints relevant to INTERNAL users

What is the recommended way to differentiate between who logged in?

I can see that the authToken object that is returned from msal-node's acquireTokenByCode() method is different depending on which type of user logged in.

Should I use a property from the authToken object to differentiate between user types?

If so, which property is the best one to use?

And, so that I can perform relevant UI actions accordingly, is it acceptable to store this value as a cookie in the browser (eg &#39;user_type&#39;: &#39;EXTERNAL&#39; or &#39;user_type&#39;: &#39;INTERNAL&#39;) using something like js-cookie?

Below is a redacted version of the authToken object that is returned after login.

All values are the same for different users types, unless otherwise specified.

Notably, these two properties are only present after a 'social account' login:

  • idp_access_token
  • idp
{
    &quot;authority&quot;: &quot;https://&lt;my-azure-ad-b2c-tenant&gt;.b2clogin.com/&lt;my-azure-ad-b2c-tenant&gt;.onmicrosoft.com/b2c_1_signin1/&quot;,
    &quot;uniqueId&quot;: &quot;*******&quot;,  // &lt;-- different for each user, this is the object id of the user as represented in the Azure AD B2C tenant
    &quot;tenantId&quot;: &quot;&quot;,
    &quot;scopes&quot;:
    [
        &quot;https://&lt;my-azure-ad-b2c-tenant&gt;.onmicrosoft.com/my-web-app-api/tasks.write&quot;, // &lt;-- these are the api permissions granted to my web app
        &quot;https://&lt;my-azure-ad-b2c-tenant&gt;.onmicrosoft.com/my-web-app-api/tasks.read&quot;  // &lt;-- these are the api permissions granted to my web app
    ],
    &quot;account&quot;:
    {
        &quot;homeAccountId&quot;: &quot;***uniqueId***-b2c_1_signin1.&lt;the-directory-id-of-my-azure-ad-b2c-tenant&gt;&quot;, // unique id is different for each user  
        &quot;environment&quot;: &quot;&lt;my-azure-ad-b2c-tenant&gt;.b2clogin.com&quot;,
        &quot;tenantId&quot;: &quot;&quot;,
        &quot;username&quot;: &quot;&lt;user-email-address&gt;&quot;, // different for each user  
        &quot;localAccountId&quot;: &quot;***uniqueId***&quot;, // different for each user  
        &quot;idTokenClaims&quot;:
        {
            &quot;exp&quot;: 1673069519,
            &quot;nbf&quot;: 1673065919,
            &quot;ver&quot;: &quot;1.0&quot;,
            &quot;iss&quot;: &quot;https://&lt;my-azure-ad-b2c-tenant&gt;.b2clogin.com/&lt;the-directory-id-of-my-azure-ad-b2c-tenant&gt;/v2.0/&quot;,
            &quot;sub&quot;: &quot;***uniqueId***&quot;, // different for each user  
            &quot;aud&quot;: &quot;&lt;the-application/client id of my web app&gt;&quot;,
            &quot;iat&quot;: 1673065919,
            &quot;auth_time&quot;: 1673065918,
            &quot;idp_access_token&quot;: &quot;********&quot;, // &lt;-- this property is ONLY present in the authToken returned from the SOCIAL login  
            &quot;idp&quot;: &quot;https://login.microsoftonline.com/&lt;the-directory-id-of-my-azure-ad-tenant&gt;/v2.0&quot;, // &lt;-- this property is ONLY present in the authToken returned from the SOCIAL login  
            &quot;emails&quot;:
            [
                &quot;&lt;user-email-address&gt;&quot; // different for each user  
            ],
            &quot;tfp&quot;: &quot;B2C_1_signin1&quot;,
            &quot;at_hash&quot;: &quot;*******&quot; // different for each user  
        }
    },
    &quot;idToken&quot;: &quot;*******&quot;, // different for each user  
    &quot;idTokenClaims&quot;:
    {
        &quot;exp&quot;: 1673069519,
        &quot;nbf&quot;: 1673065919,
        &quot;ver&quot;: &quot;1.0&quot;,
        &quot;iss&quot;: &quot;https://&lt;my-azure-ad-b2c-tenant&gt;.b2clogin.com/&lt;the-directory-id-of-my-azure-ad-b2c-tenant&gt;/v2.0/&quot;,
        &quot;sub&quot;: &quot;***uniqueId***&quot;, // different for each user  
        &quot;aud&quot;: &quot;&lt;the-application/client id of my web app&gt;&quot;,
        &quot;iat&quot;: 1673065919,
        &quot;auth_time&quot;: 1673065918,
        &quot;idp_access_token&quot;: &quot;********&quot;, // &lt;-- this property is ONLY present in the authToken returned from the SOCIAL login  
        &quot;idp&quot;: &quot;https://login.microsoftonline.com/&lt;the-directory-id-of-my-azure-ad-tenant&gt;/v2.0&quot;, // &lt;-- this property is ONLY present in the authToken returned from the SOCIAL login  
        &quot;emails&quot;:
        [
            &quot;&lt;user-email-address&gt;&quot; // different for each user  
        ],
        &quot;tfp&quot;: &quot;B2C_1_signin1&quot;, // different for each user  
        &quot;at_hash&quot;: &quot;*******&quot;
    },
    &quot;accessToken&quot;: &quot;*******&quot;, // different for each user  
    &quot;fromCache&quot;: false,
    &quot;expiresOn&quot;: &quot;2023-01-07T05:31:57.000Z&quot;,
    &quot;correlationId&quot;: &quot;*******&quot;, // different for each user  
    &quot;requestId&quot;: &quot;&quot;,
    &quot;extExpiresOn&quot;: &quot;2023-01-07T05:31:57.000Z&quot;,
    &quot;familyId&quot;: &quot;&quot;,
    &quot;tokenType&quot;: &quot;Bearer&quot;,
    &quot;state&quot;: &quot;&quot;,
    &quot;cloudGraphHostName&quot;: &quot;&quot;,
    &quot;msGraphHost&quot;: &quot;&quot;,
    &quot;fromNativeBroker&quot;: false
}

For Reference

For reference, below are the steps I took to:

  • Enable login from a single Azure AD tenant
  • Enable Azure AD users to be able to call Graph API in their own tenant

I added a single Azure AD tenant as an Identity Provider by going to:

Azure Portal > Azure AD B2C Tenant > Azure AD B2C > Identity Providers > + New OpenID Connect provider > [ fill in required fields and click &#39;Save&#39; ]

Detailed steps on adding an Azure AD tenant as an identity provider can be found here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow#configure-azure-ad-as-an-identity-provider

In the Scope field, I added the scopes that I wanted the Azure AD users to be able to use in their own tenant, i.e:

openid profile User.ReadWrite.All Directory.ReadWrite.All Team.ReadBasic.All TeamSettings.ReadWrite.All

Then I went to the relevant 'user flow' at:

Azure Portal > Azure AD B2C Tenant > Azure AD B2C > User flows > B2C_1_signin1 > Identity providers > [ check the recently added OpenID connect provider ] > [ click &#39;Save&#39; ]

In order for Azure AD users to be able to make Graph API calls to their own tenant, I did the following to make sure that an idp_token was returned when they logged in - I believe this is essentially an 'access token' for their tenant:

Azure Portal > Azure AD B2C Tenant > Azure AD B2C > User flows > B2C_1_signin1 > Application claims > [ select &#39;Identity Provider Access Token&#39; ] > [ click &#39;Save&#39; ]

答案1

得分: 1

idp声明是您要查找的声明,因为它将设置Azure AD B2C租户的所有外部提供商的集合。

请注意,当启用透传时,将出现idp_access_token声明,但仅支持OAuth 2.0提供商,因此对于某些提供商可能为空。

英文:

The idp claim is the one that you are looking for since it will be set of all external providers of the Azure AD B2C tenant.

Note that the idp_access_token claim is present when pass through is enabled but is only supported for OAuth 2.0 providers, so it may be blank for some.

huangapple
  • 本文由 发表于 2023年1月7日 14:59:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/75038628.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定