可以访问Azure Web App中的App Service身份验证吗?

huangapple go评论62阅读模式
英文:

Can you access App Service authentication in an Azure Web App?

问题

我有一个Azure Web应用程序,我已经设置了应用服务身份验证(当前租户访问)。我想要根据用户分配的组动态显示应用程序的不同部分。

我的意图是获取经过身份验证的用户的对象ID或UID,通过MSGraph检查他们的组,并根据他们的组执行不同的操作。我知道理论上如何完成所有这些,除了第一步 - 是否可以从Azure内置的Web应用程序身份验证方法传递数据到我的应用程序

我考虑的另一种方法是停用应用服务身份验证,并在应用程序内部利用MSGraph来认证用户,这将允许我获取用户的组,但除非必须这样做,否则我不想这样做。

英文:

I have an Azure Web App which I've setup App Service authentication (current tenant access). I'd like to dynamically display different portions of the application based on assigned groups of the user.

My intention is to grab either the object ID or UID of the authenticated user, check their groups via MSGraph, and do different things based on their groups. I know theoretically how to accomplish all of this minus the first step - is it possible to pass data from Azure's built-in web app authentication methods to my application?

The alternative I am thinking of is to deactivate App Service authentication and leverage MSGraph within the application itself to authenticate users, which would then allow me to grab the user's groups, which I don't want to do unless I have to.

答案1

得分: 0

我认为此文档包含您所需的信息。

简要解释一下。我们需要将Microsoft.Identity.Web.MicrosoftGraphMicrosoft.Identity.Web包集成到应用程序中,然后在Program.cs中添加身份验证方案代码,如下所示:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi()
            .AddMicrosoftGraph(Configuration.GetSection("Graph"))
            .AddInMemoryTokenCaches();

然后,我们可以使用Graph SDK调用Ms Graph API来查询信息。身份验证由应用服务本身完成,因此我们需要配置它以将身份验证信息传递给Azure AD应用程序。需要使用Azure资源资源管理器并按照这些步骤进行操作。

如果应用程序和应用服务完全由您自己管理,我认为将身份验证模块包含到应用程序中并使用RBAC(基于角色的访问控制)也是一个不错的选择。

英文:

I think this document contains what you want.

Just a brief explanation. We need to integrate Microsoft.Identity.Web.MicrosoftGraph and Microsoft.Identity.Web package into the application. Then adding authentication scheme code like this into Program.cs.

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
                    .EnableTokenAcquisitionToCallDownstreamApi()
                        .AddMicrosoftGraph(Configuration.GetSection("Graph"))
                        .AddInMemoryTokenCaches();

Then we can use Graph SDK to call Ms graph api to query the information. The authentication is done by app service itself, so we need to configure it to pass authentication information to the Azure AD app. It requires to use Azure Resource Explorer and follow these steps.

If the application and app service is fully managed by yourself, I think it's also a good option to contain the authentication module into the application and use RBAC.

huangapple
  • 本文由 发表于 2023年6月1日 00:27:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/76375581.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定