Azure AD 发布声明安全组名称

Azure AD issues claims security groups names

我需要我的 Azure AD 向安全组 names 发出声明。 但是JWT令牌中只有组对象ids出来。

如何获取安全组名称?

到目前为止我做了什么: 1. 创建一个测试安全组并为其分配一个用户。这是该用户的唯一组。

  1. 将 groupMembershipClaims 设置为 All(整数 7),如本官方文档中所述 https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest

  2. 这是应用程序清单的相关部分: { ... "appRoles": [], "availableToOtherTenants": false, "displayName": "Azure AD B2C sandbox App ", "errorUrl": null, "groupMembershipClaims": "All", "optionalClaims": null, "acceptMappedClaims": null,...

你不能用代币获得它们。正如您所注意到的,您只能获得 ID。 通常这很好,因为 id 不能更改,不像 name 可以更改。

如果要基于组进行授权,可以在配置文件中设置id,然后与id进行核对。

如果您想要这些名称用于其他目的,您将需要从 Microsoft Graph API 查询组。 您可以在此处找到 API 文档:https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/groups-overview

You can not receive group display names inside your id_token.

但您可以查询群组属性,例如来自另一个 api 的群组显示名称,在本例中为 ms 图表 api。

这是我从 ms 图表 api..

中查询群组显示名称的操作

谢谢

/// <summary>
/// Translate group.Id list received on id_token into group.DisplayName list
/// </summary>
/// <param name="groupIdList"></param>
/// <returns></returns>
public override List<string> TranslateGroupNames(List<string> groupIdList)
{
    // validations
    if (groupIdList == null || groupIdList.Count == 0)
        return groupIdList;

    if (string.IsNullOrEmpty(Configuration.ClientID))
        throw new InvalidOperationException("A configuração 'ClientID' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.ClientSecret))
        throw new InvalidOperationException("A configuração 'ClientSecret' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TokenEndpoint))
        throw new InvalidOperationException("A configuração 'TokenEndpoint' não pode ser vazia.");

    if (string.IsNullOrEmpty(Configuration.TenantID))
        throw new InvalidOperationException("A configuração 'TenantID' não pode ser vazia.");

    // acquire a brand new access_token via client_credentials, especificly to ms graph api
    var clientCredentialsRequest = new ClientCredentialsTokenRequest();
    clientCredentialsRequest.Address = Configuration.TokenEndpoint;
    clientCredentialsRequest.ClientId = Configuration.ClientID;
    clientCredentialsRequest.Scope = "https://graph.microsoft.com/.default";
    clientCredentialsRequest.ClientSecret = Configuration.ClientSecret;

    var accessTokenResponse = _httpClient.RequestClientCredentialsTokenAsync(clientCredentialsRequest).Result;
    if (accessTokenResponse.IsError)
        throw new InvalidOperationException($"Falha ao recuperar AcessToken. {accessTokenResponse.Error}: {accessTokenResponse.ErrorDescription}");

    // set access_token on httpclient
    _httpClient.SetBearerToken(accessTokenResponse.AccessToken);

    var result = new List<string>(groupIdList.Count);

    // query ms graph api to recover group info
    foreach (var groupId in groupIdList)
    {
        var url = $"https://graph.microsoft.com/v1.0/{Configuration.TenantID}/groups/{groupId}";
        var groupResponse = _httpClient.GetAsync(url).Result;
        if (!groupResponse.IsSuccessStatusCode)
            throw new InvalidOperationException($"Falha ao recuperar grupo. {groupResponse.ReasonPhrase}");

        var jsonString = groupResponse.Content.ReadAsStringAsync().Result;
        var group = JsonConvert.DeserializeObject<dynamic>(jsonString);
        if (group?.displayName?.Value == null)
            throw new InvalidOperationException($"Grupo inválido");

        // get group display name
        result.Add(group.displayName.Value);
    }

    return result;
}

您可以通过Token配置获取AD组名。默认情况下,它是 return 组 ID,但您可以将其更改为 sAMAccountName。