获取 Azure AD 用户在 .Net Core 声明中所属的组列表

Der*_*ang 5 azure-active-directory .net-core

我正在尝试使用“隐式流”中生成的令牌获取 .Net Core 中 Azure AD 用户所属的组列表。没有组信息。

我正在使用以下链接中提到的“隐式流”: .NET Core 和 Azure Active Directory 集成

下面显示了如何在 .NET Framework 中执行此操作,但 .NET Core 没有“ActiveDirectoryClient”类。

获取 Azure AD 用户在声明中所属的组列表

任何帮助深表感谢!

德里克

Nan*_* Yu 5

您可以先在manifest中设置该groupMembershipClaims属性SecurityGroup,然后登录后在asp.net core中获取组列表:

var groups = User.Claims.Where(c => c.Type == "groups").ToList();
Run Code Online (Sandbox Code Playgroud)

更新 :

然后您可以调用Azure AD Graph api来获取组信息。首先参考代码示例:https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

在.net core app中,你可以获取组对象id并调用graph api:

https://graph.windows.net/myorganization/groups/<objectid>?api-version=1.6
Run Code Online (Sandbox Code Playgroud)

您可以在应用程序的刀片中设置Read all groups委派权限。然后尝试下面的代码来获取组名称:Windows Azure Active DirectoryRequired permissions

        try
        {

            var groups = User.Claims.Where(c => c.Type == "groups").ToList();


            string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
            ClientCredential credential = new ClientCredential(Startup.ClientId, Startup.ClientSecret);
            result = await authContext.AcquireTokenSilentAsync(Startup.GraphResourceId, credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));

            //
            // Retrieve the group information.
            //
            HttpClient client = new HttpClient();
            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.windows.net/myorganization/groups/"+ groups[1].Value + "?api-version=1.6" );
            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
            HttpResponseMessage response = await client.SendAsync(request);


            if (response.IsSuccessStatusCode)
            {
                List<Dictionary<String, String>> responseElements = new List<Dictionary<String, String>>();
                JsonSerializerSettings settings = new JsonSerializerSettings();
                String responseString = await response.Content.ReadAsStringAsync();
                var model = JsonConvert.DeserializeObject<RootObject>(responseString);
                var groupName = model.displayName;
            }
            else
            {

                if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
                {

                }
            }
        }
        catch (Exception ee)
        {

        }
Run Code Online (Sandbox Code Playgroud)

以下集团实体供您参考:

   public class RootObject
        {
            public string objectType { get; set; }
            public string objectId { get; set; }
            public object deletionTimestamp { get; set; }
            public string description { get; set; }
            public object dirSyncEnabled { get; set; }
            public string displayName { get; set; }
            public object mail { get; set; }
            public string mailNickname { get; set; }
            public bool mailEnabled { get; set; }
            public bool securityEnabled { get; set; }
        }
Run Code Online (Sandbox Code Playgroud)