当前位置: 文江博客 话题详情

春季启动授权问题,来自Azure AD Auth Server的角色

发布于 2025-01-28 08:54:11 字数 1858 浏览 3 评论 0 原文

根据此,我们用Azure AD实现了Spring Boot Auth: https://ordina-jworks.github.io/security/2020/08/18/securing-applications-applications-azure-ad.html

在这里,访问令牌验证正常,但不显示任何当局:

SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();        
Collection<? extends GrantedAuthority> authoritiesFromToken = authentication.getAuthorities();              
System.out.println("authoritiesFromToken:  " + authoritiesFromToken);

使用了以下依赖项:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

添加了App AD中的App角色:https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

使用Postman获得客户凭据的Azure AD令牌: https://learn.microsoft.com/en-us/rest/rest/rest/servicebus/get-azure-azure-active-directory-token

在此运行该应用程序之后set to the application is not printed.

我们还需要做什么才能扮演角色?

原文

As per this we implemented Spring boot auth with Azure AD: https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html

Here the access token validation works fine but not showing any authorities:

SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();        
Collection<? extends GrantedAuthority> authoritiesFromToken = authentication.getAuthorities();              
System.out.println("authoritiesFromToken:  " + authoritiesFromToken);

The following dependencies are used:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Added app roles in Azure AD: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Used Postman to get the Azure AD token with client credentials: https://learn.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token

After this run the application but the app roles set to the application is not printed.

What we need to do to get the roles as well?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

被翻牌 2025-02-04 08:54:11

我们需要添加
范围:OpenID,配置文件
在application.yml文件中获取用户的个人资料信息。

we need add
scope: openid,profile
in application.yml file to get the profile information of user.

回复 原文
玩世 2025-02-04 08:54:11
  • Sometimes token is an access token may not be for your app.这
    roles you are looking for can be present in the id token.
  • 请确保检查ID令牌和访问令牌
    身份验证刀片或通过单独检查。

  • 由于您无法访问令牌中的角色。请检查
    如果您没有在请求参数中分配资源
    以及(client_id,grant_type等)。默认情况下资源
    也许像00000002-0000-0000-C000-000000000000。也可以通过发送
    响应类型=在请求中的令牌。

请检查此使用Azure Active Directory(aaddevsup.xyz)的Spring Boot启动器(aaddevsup.xyz) Azure Ad Ad保护的Web API

将以下依赖项添加到您的pom.xml文件中。

<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
   // <version>4.0.0</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

根据此处的注释,添加应用程序角色并从令牌-Microsoft Identity Platform |微软文档

注意:当前 如果将服务主体添加到组,然后将应用程序角色分配给该组,则Azure AD不会添加角色
要求令牌发行 。 Azure AD发出每个角色的角色
that the user or service principal has been granted individually to
用户和用户的组成员资格。

角色也可以直接添加在清单JSON文件中。

"appRoles": [
{
    "allowedMemberTypes": [
        "User , Applications"
    ],
    "description": " ",
    "displayName": " ",
    "id": "<Guid> ",
    "isEnabled": true,
    "lang": null,
    "origin": "<> ",
    "value": "  "
},
]

如果您要在应用程序呼叫api中实现应用程序角色业务逻辑
方案,您有两个应用程序注册。一个应用程序注册是用于
该应用程序和第二个应用程序注册是针对API的。 在这种情况下,
定义应用程序角色并将其分配给应用程序中的用户或组
API的注册。 用户使用应用程序进行身份验证时
请求访问令牌拨打API,其中包括角色索赔
访问令牌。您的下一步是将代码添加到Web API中
调用API时检查这些角色。

检查用户。阅读是图形API,要获得应用程序的api代币,应在API上示出范围,并授予管理员同意的API权限。

要了解如何将授权添加到您的Web API中,请参见受保护的Web API:验证范围和应用程序角色。

参考:
Azure Active Directory开发人员指南的春季启动器|微软文档

  • Sometimes token is an access token may not be for your app. The
    roles you are looking for can be present in the id token.
  • Please make sure to check both id token and access token in
    authentication blade or try by checking both individually.

enter image description here

  • As you were not able to access the roles in your token. Please check
    if you were not assigning a resource in request parameters
    along with (client_id, grant_type, etc.) . By default the resource
    maybe something like 00000002-0000-0000-c000-000000000000. Also try by sending
    responseType =token in the request.

Please check this Azure AD-protected Web API using Spring Boot Starter for Azure Active Directory (aaddevsup.xyz)

Add the following dependencies to your pom.xml file.

<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
   // <version>4.0.0</version>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

According to note here in Add app roles and get them from a token - Microsoft identity platform | Microsoft Docs

Note: Currently if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles
claim to tokens it issues. Azure AD emits a roles claim for each role
that the user or service principal has been granted individually to
the user and the user's group memberships.

The roles could also be added directly in the manifest json file.

"appRoles": [
{
    "allowedMemberTypes": [
        "User , Applications"
    ],
    "description": " ",
    "displayName": " ",
    "id": "<Guid> ",
    "isEnabled": true,
    "lang": null,
    "origin": "<> ",
    "value": "  "
},
]

If you're implementing app role business logic in an app-calling-API
scenario, you have two app registrations. One app registration is for
the app, and a second app registration is for the API. In this case,
define the app roles and assign them to the user or group in the app
registration of the API. When the user authenticates with the app and
requests an access token to call the API, a roles claim is included in
the access token. Your next step is to add code to your web API to
check for those roles when the API is called.

Check the user.read is for graph api and to get token for api for your app should have the scope exposed for api.and granted api permissions for admin consent.

To learn how to add authorization to your web API, see Protected web API: Verify scopes and app roles.

Reference :
Spring Boot Starter for Azure Active Directory developer's guide | Microsoft Docs

回复 原文
~没有更多了~

关于作者

漫雪独思

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

诺曦

文章 0 评论 0

要走干脆点

文章 0 评论 0

把回忆走一遍

文章 0 评论 0

陌上青苔

文章 0 评论 0

Arthur

文章 0 评论 0

哄哄

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文