【问题标题】:ADAL JavaScript: Adding additional claims (ADAL JS)ADAL JavaScript:添加附加声明 (ADAL JS)
【发布时间】:2014-11-26 19:18:37
【问题描述】:

我从 Github 上针对我的 Azure AD 运行 ADAL JS 示例 SPA 项目。

效果很好,但我想在身份验证后向令牌添加声明。

在 SPA 示例中,您添加中间件如下:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Audience = ConfigurationManager.AppSettings["ida:Audience"],
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
            });

从这里开始,您是否必须添加额外的 OAuth 中间件才能访问诸如通知之类的内容才能访问 ClaimsIdentity 和 AddClaim?

【问题讨论】:

    标签: c# authentication azure-active-directory adal claims


    【解决方案1】:

    您可以使用 TokenValidationParamenters。见ValidateTokenTokenValidationParameters.CreateClaimsIdentity

    【讨论】:

      【解决方案2】:

      我找到了一个 great sample 来处理这个问题......魔法发生在 Provider = new OAuthBearerAuthenticationProvider 内部。

      您会看到额外的声明被添加到身份中。

      // Add bearer token authentication middleware.
      app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
        // The id of the client application that must be registered in Azure AD.
        TokenValidationParameters = new TokenValidationParameters { ValidAudience = clientId },
        // Our Azure AD tenant (e.g.: contoso.onmicrosoft.com).
        Tenant = tenant,
        Provider = new OAuthBearerAuthenticationProvider
        {
          // This is where the magic happens. In this handler we can perform additional
          // validations against the authenticated principal or modify the principal.
          OnValidateIdentity = async context =>
          {
            try
            {
              // Retrieve user JWT token from request.
              var authorizationHeader = context.Request.Headers["Authorization"].First();
              var userJwtToken = authorizationHeader.Substring("Bearer ".Length).Trim();
      
              // Get current user identity from authentication ticket.
              var authenticationTicket = context.Ticket;
              var identity = authenticationTicket.Identity;
      
              // Credential representing the current user. We need this to request a token
              // that allows our application access to the Azure Graph API.
              var userUpnClaim = identity.FindFirst(ClaimTypes.Upn);
              var userName = userUpnClaim == null
                ? identity.FindFirst(ClaimTypes.Email).Value
                : userUpnClaim.Value;
              var userAssertion = new UserAssertion(
                userJwtToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
      
              // Credential representing our client application in Azure AD.
              var clientCredential = new ClientCredential(clientId, applicationKey);
      
              // Get a token on behalf of the current user that lets Azure AD Graph API access
              // our Azure AD tenant.
              var authenticationResult = await authenticationContext.AcquireTokenAsync(
                azureGraphApiUrl, clientCredential, userAssertion).ConfigureAwait(false);
      
              // Create Graph API client and give it the acquired token.
              var activeDirectoryClient = new ActiveDirectoryClient(
                graphApiServiceRootUrl, () => Task.FromResult(authenticationResult.AccessToken));
      
              // Get current user groups.
              var pagedUserGroups =
                await activeDirectoryClient.Me.MemberOf.ExecuteAsync().ConfigureAwait(false);
              do
              {
                // Collect groups and add them as role claims to our current principal.
                var directoryObjects = pagedUserGroups.CurrentPage.ToList();
                foreach (var directoryObject in directoryObjects)
                {
                  var group = directoryObject as Group;
                  if (group != null)
                  {
                    // Add ObjectId of group to current identity as role claim.
                    identity.AddClaim(new Claim(identity.RoleClaimType, group.ObjectId));
                  }
                }
                pagedUserGroups = await pagedUserGroups.GetNextPageAsync().ConfigureAwait(false);
              } while (pagedUserGroups != null);
            }
            catch (Exception e)
            {
              throw;
            }
          }
        }
      });
      

      【讨论】:

        猜你喜欢
        • 2015-08-14
        • 2015-01-25
        • 2018-11-22
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2015-06-02
        相关资源
        最近更新 更多