我有AngularJS和Web.API WAAD认证启动和运行。对于客户端我用大图书馆 ADAL.JS 。对于后端我使用 Microsoft.Owin.Security.OAuth 。这部分又比较顺利的。

I've got AngularJS and Web.API WAAD authentication up and running. For client side I use great library ADAL.JS. For backend I use Microsoft.Owin.Security.OAuth. This part went quite smooth.

现在我想根据角色（这将被映射到WAAD组），以实现授权。组不包括在认证令牌，所以我必须要问的Azure图形API他们。我看到了不同的方式来做到这一点，使用自定义声明提供，项目添加Web服务等一些例子已经提供了组和角色之间的映射在来使用[授权] 属性。

Now I want to implement authorization based on roles (which will be mapped to WAAD groups). Groups are not included in authentication token so I must ask Azure Graph API for them. I saw various ways to do it, using custom claims providers, adding web services to project, etc. Some examples already providing mapping between groups and roles to use in [Authorize] attribute.

但究竟是如何获得组ID列表/从WAAD名提供用户ID或用户名，当我已经认证？只是最简单的例子

But what is just the simplest example of how to get a list of group ids/names from WAAD providing User ID or username, when I'm already authenticated?

此外，有没有什么办法让这些数据在JS在角前端使用，或者我应该创建一个API服务，角度应该呼吁的角色信息？

Also, is there any way to get this data in JS to use in Angular frontend, or should I create an API service which Angular should call for roles info?

推荐答案

在非JS的情况下，让集团在记号的最简单的方法是通过选择在下载应用程序的清单，找到groupMembershipClaims项，将其值改为SecurityGroup或全部，上传回的清单。 但是请注意，这不会对您的方案工作，因为它采用了隐式的授权 - 这里的令牌中的URI片段回来，所以一个大的令牌会冒险吹过去的浏览器的URL长度的限制。 您可以随时要求组图形，并使其通过您的API自定义操作的前端可用，但是从你写你已经熟悉了。让我在这里讨论这个问题 - 如果有一个更简单的途径，使这项工作在温泉，我会回到这个主题。 HTH V. 更新：我验证和隐性补助金的情况下，你会通过超额索赔接收组始终。请参阅https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - 它会告诉你如何处理超龄索赔检索组。所有你需要做的是应用相同的指导网络API，而不是，如果你需要的信息提供给客户端暴露一个或多个操作这么做。

In the non-JS case, the simplest way of getting groups in the token is by opting in. Download your application’s manifest, locate the "groupMembershipClaims" entry, change its value to "SecurityGroup" or "All", upload back the manifest. However note that this won't work for your scenario, because it uses the implicit grant - here the token is returned in an URI fragment, hence a big token would risk blowing past the URL length limits of the browser. You can always request groups to the Graph and make it available to your frontend via custom action on your API, but from what you wrote you are already familiar with that. Let me discuss the matter here - if there's a simpler route to make this work in SPAs, I'll get back to this thread. HTH V. Update: I verified and in the implicit grant case you will receive groups always via the overage claim. Please refer to https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet/tree/master/WebApp-GroupClaims-DotNet - it will show you how to process the overage claim to retrieve groups. All you need to do is apply the same guidance to a web API instead, and if you need to make the info available to the client expose one or more actions doing so.