Spring 从 Azure AD 授权服务器获取角色的启动授权问题
Spring boot authorization issue with fetching roles from Azure AD auth server
据此,我们使用 Azure AD 实施了 Spring 启动身份验证:https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
此处访问令牌验证工作正常但未显示任何权限:
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
Collection<? extends GrantedAuthority> authoritiesFromToken = authentication.getAuthorities();
System.out.println("authoritiesFromToken: " + authoritiesFromToken);
使用了以下依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
在 Azure AD 中添加了应用程序角色:https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
使用 Postman 获取带有客户端凭据的 Azure AD 令牌:https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token
在此之后 运行 应用程序,但未打印应用程序设置的应用程序角色。
我们还需要做什么才能获得角色?
- 有时令牌是一种访问令牌,可能不适用于您的应用。这
您正在寻找的角色可以出现在 id 令牌中。
- 请确保检查 id token 和 access token
身份验证 blade 或尝试分别检查两者。
- 因为您无法访问令牌中的角色。请检查
如果您没有在请求参数中分配 resource
连同 (client_id, grant_type, 等等) 。默认情况下资源
可能类似于 00000002-0000-0000-c000-000000000000。也可以尝试发送
responseType =请求中的token.
请检查这个Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory (aaddevsup.xyz)
将以下依赖项添加到您的 pom.xml 文件中。
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
// <version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
根据Add app roles and get them from a token - Microsoft identity platform | Microsoft Docs
中的注释
Note: Currently if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles
claim to tokens it issues. Azure AD emits a roles claim for each role
that the user or service principal has been granted individually to
the user and the user's group memberships.
也可以直接在清单 json 文件中添加角色。
"appRoles": [
{
"allowedMemberTypes": [
"User , Applications"
],
"description": " ",
"displayName": " ",
"id": "<Guid> ",
"isEnabled": true,
"lang": null,
"origin": "<> ",
"value": " "
},
]
If you're implementing app role business logic in an app-calling-API
scenario, you have two app registrations. One app registration is for
the app, and a second app registration is for the API. In this case,
define the app roles and assign them to the user or group in the app
registration of the API. When the user authenticates with the app and
requests an access token to call the API, a roles claim is included in
the access token. Your next step is to add code to your web API to
check for those roles when the API is called.
检查 user.read 是否用于图 api 并为您的应用程序获取 api 的令牌应该为 api.and 授予 api 公开范围管理员同意的权限。
要了解如何向您的网站添加授权 API,请参阅 Protected web API: Verify scopes and app roles.
参考:
Spring Boot Starter for Azure Active Directory developer's guide | Microsoft Docs
据此,我们使用 Azure AD 实施了 Spring 启动身份验证:https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html
此处访问令牌验证工作正常但未显示任何权限:
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
Collection<? extends GrantedAuthority> authoritiesFromToken = authentication.getAuthorities();
System.out.println("authoritiesFromToken: " + authoritiesFromToken);
使用了以下依赖项:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
在 Azure AD 中添加了应用程序角色:https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
使用 Postman 获取带有客户端凭据的 Azure AD 令牌:https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token
在此之后 运行 应用程序,但未打印应用程序设置的应用程序角色。
我们还需要做什么才能获得角色?
- 有时令牌是一种访问令牌,可能不适用于您的应用。这 您正在寻找的角色可以出现在 id 令牌中。
- 请确保检查 id token 和 access token 身份验证 blade 或尝试分别检查两者。
- 因为您无法访问令牌中的角色。请检查 如果您没有在请求参数中分配 resource 连同 (client_id, grant_type, 等等) 。默认情况下资源 可能类似于 00000002-0000-0000-c000-000000000000。也可以尝试发送 responseType =请求中的token.
请检查这个Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory (aaddevsup.xyz)
将以下依赖项添加到您的 pom.xml 文件中。
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
// <version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
根据Add app roles and get them from a token - Microsoft identity platform | Microsoft Docs
中的注释Note: Currently if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles claim to tokens it issues. Azure AD emits a roles claim for each role that the user or service principal has been granted individually to the user and the user's group memberships.
也可以直接在清单 json 文件中添加角色。
"appRoles": [
{
"allowedMemberTypes": [
"User , Applications"
],
"description": " ",
"displayName": " ",
"id": "<Guid> ",
"isEnabled": true,
"lang": null,
"origin": "<> ",
"value": " "
},
]
If you're implementing app role business logic in an app-calling-API scenario, you have two app registrations. One app registration is for the app, and a second app registration is for the API. In this case, define the app roles and assign them to the user or group in the app registration of the API. When the user authenticates with the app and requests an access token to call the API, a roles claim is included in the access token. Your next step is to add code to your web API to check for those roles when the API is called.
检查 user.read 是否用于图 api 并为您的应用程序获取 api 的令牌应该为 api.and 授予 api 公开范围管理员同意的权限。
要了解如何向您的网站添加授权 API,请参阅 Protected web API: Verify scopes and app roles.
参考: Spring Boot Starter for Azure Active Directory developer's guide | Microsoft Docs