我们开启了Azure AD服务以后,这里就相当于我们的统一认证平台,那我们就作为Azure平台的一个租户了,所以我们租户下的所有用户,就需要在Azure平台来操作和维护了。
这并不像我们平时开发的时候,提供一个数据库连接字符串,把用户生成到我们自己的数据库里,AAD是要求我们使用 Microsoft Graph 的API来对用户进行操作。
Azure AD 中有两种类型的用户 - 成员用户和来宾用户。来宾用户通过兑换其邀请加入组织。来宾用户可以转换为成员,享受成员的所有特权。.
官方提供了很多api,可以用来对用户的处理,不仅包括增删改查和修改重置密码,修改角色等人员属性等功能。
下面看看如何来实现对用户的常见操作。
一、添加配置文件
"AzureADAppSetup": {
"loginDomain": "https://login.chinacloudapi.cn",
"domain": "https://microsoftgraph.chinacloudapi.cn",
"application": "xx-xxx-xxx-xx",
"b2cExtensionsApplicationClientID": "xxxx"
},
"AzureADAppTokenSetup": {
"grantType": "client_credentials",
"clientId": "xxxx-xxx-xxxxx-xxxx-xxxxxxxx",
"clientSecret": "",
"scope": "https://microsoftgraph.chinacloudapi.cn/.default"
},
读取配置到内存中,方便使用
AzureADAppSetup.application = Configuration["AzureADAppSetup:application"];
AzureADAppSetup.domain = Configuration["AzureADAppSetup:domain"];
AzureADAppSetup.loginDomain = Configuration["AzureADAppSetup:loginDomain"];
AzureADAppSetup.b2cExtensionsApplicationClientID = Configuration["AzureADAppSetup:b2cExtensionsApplicationClientID"];
AzureADAppTokenSetup.grantType = Configuration["AzureADAppTokenSetup:grantType"];
AzureADAppTokenSetup.clientId = Configuration["AzureADAppTokenSetup:clientId"];
AzureADAppTokenSetup.clientSecret = Configuration["AzureADAppTokenSetup:clientSecret"];
AzureADAppTokenSetup.scope = Configuration["AzureADAppTokenSetup:scope"];
二、获取访问graph的token
在对aad的用户操作之前,必须要携带一个访问令牌,所以需要先获取token
public static string GetToken()
{
if (!isExpiredToken())
{
return Permissions.AAD_TOKEN;
}
var client = new RestClient($"{AzureADAppSetup.loginDomain}/{AzureADAppSetup.application}/oauth2/v2.0/token");
var request = new RestRequest(Method.POST);
request.AlwaysMultipartFormData = true;
request.AddParameter("grant_type", AzureADAppTokenSetup.grantType);
request.AddParameter("client_id", AzureADAppTokenSetup.clientId);
request.AddParameter("client_secret", AzureADAppTokenSetup.clientSecret);
request.AddParameter("scope", AzureADAppTokenSetup.scope);
IRestResponse response = client.Execute(request);
var content = response.Content;
var j = JObject.Parse(content);
var token = j.Value<string>("access_token");
if (!string.IsNullOrEmpty(token))
{
Permissions.AAD_TOKEN = token;
return token;
}
return "";
}
三、对用户数据进行增删改查
1、添加用户资源
var identities = new List<IdentityVo>() { };
identities.Add(new IdentityVo()
{
signInType = "userName",
issuer = AzureAdB2CSetup.Domain,
issuerAssignedId = userVo.Login,
});
var azureUserDto = AddExtensionAttribute(selectRoleModel.Name);
azureUserDto.displayName = userVo.DisplayName;
azureUserDto.passwordPolicies = "DisablePasswordExpiration";
azureUserDto.passwordProfile = new Passwordprofile()
{
password = userVo.Password,
forceChangePasswordNextSignIn = true,
};
azureUserDto.identities = identities;
var aadInsert = AzureADApp.AddUserByToken(azureUserDto);//这里post一个数据,然后携带token即可
// 封装 AddUserByToken方法
var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users");
var request = new RestRequest(Method.POST);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", $"Bearer {GetToken()}");
request.AddParameter("application/json", JsonConvert.SerializeObject(azureUserDto), ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
var content = response.Content;
// 这里用到了扩展属性,如果有想知道了解更多的,可以单独问我。
private dynamic AddExtensionAttribute(string role = "xxx")
{
IDictionary<string, object> result = new ExpandoObject();
var extensionAttr = $"extension_{AzureADAppSetup.b2cExtensionsApplicationClientID}_{extensionAttribute}";
result.Add(extensionAttr, role);
return result as ExpandoObject;
}
2、删除
直接根据aad的id,调用官方api,就能删除
public static bool DeleteUserByToken(string aadId = "")
{
if (string.IsNullOrEmpty(aadId))
{
return false;
}
var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users/{aadId}");
var request = new RestRequest(Method.DELETE);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", $"Bearer {GetToken()}");
IRestResponse response = client.Execute(request);
var content = response.Content;
return string.IsNullOrEmpty(content ?? "");
}
3、修改
修改的入参和添加的几乎一样,自行修改即可,差别就是调用官方api不一样
var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users/{aadId}");
var request = new RestRequest(Method.PATCH);
request.AddHeader("Content-Type", "application/json");
request.AddHeader("Authorization", $"Bearer {GetToken()}");
request.AddParameter("application/json", azureUserDtoJson, ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
4、查询
查询就更简单了,直接看官网就行,这里就不介绍了。
除了上边的四个增删改查以外,还有一个就是修改密码,和重置密码。
这个在上边的修改模块已经说到了,主要是要封装参数
var azureUserDto = AddExtensionAttribute(selectRoleModel.Name);
azureUserDto.displayName = userVo.DisplayName;
azureUserDto.passwordPolicies = "DisablePasswordExpiration";
azureUserDto.passwordProfile = new Passwordprofile()
{
password = userVo.Password,
forceChangePasswordNextSignIn = true,
};
azureUserDto.identities = identities;
更多的操作,微软官网中,有更详细和丰富的API,欢迎查看。