我们开启了Azure AD服务以后,这里就相当于我们的统一认证平台,那我们就作为Azure平台的一个租户了,所以我们租户下的所有用户,就需要在Azure平台来操作和维护了。
这并不像我们平时开发的时候,提供一个数据库连接字符串,把用户生成到我们自己的数据库里,AAD是要求我们使用 Microsoft Graph 的API来对用户进行操作。
Azure AD 中有两种类型的用户 - 成员用户和来宾用户。来宾用户通过兑换其邀请加入组织。来宾用户可以转换为成员,享受成员的所有特权。.
官方提供了很多api,可以用来对用户的处理,不仅包括增删改查和修改重置密码,修改角色等人员属性等功能。
下面看看如何来实现对用户的常见操作。
一、添加配置文件
"AzureADAppSetup": {"loginDomain": "https://login.chinacloudapi.cn","domain": "https://microsoftgraph.chinacloudapi.cn","application": "xx-xxx-xxx-xx","b2cExtensionsApplicationClientID": "xxxx"},"AzureADAppTokenSetup": {"grantType": "client_credentials","clientId": "xxxx-xxx-xxxxx-xxxx-xxxxxxxx","clientSecret": "","scope": "https://microsoftgraph.chinacloudapi.cn/.default"},
读取配置到内存中,方便使用
AzureADAppSetup.application = Configuration["AzureADAppSetup:application"];AzureADAppSetup.domain = Configuration["AzureADAppSetup:domain"];AzureADAppSetup.loginDomain = Configuration["AzureADAppSetup:loginDomain"];AzureADAppSetup.b2cExtensionsApplicationClientID = Configuration["AzureADAppSetup:b2cExtensionsApplicationClientID"];AzureADAppTokenSetup.grantType = Configuration["AzureADAppTokenSetup:grantType"];AzureADAppTokenSetup.clientId = Configuration["AzureADAppTokenSetup:clientId"];AzureADAppTokenSetup.clientSecret = Configuration["AzureADAppTokenSetup:clientSecret"];AzureADAppTokenSetup.scope = Configuration["AzureADAppTokenSetup:scope"];
二、获取访问graph的token
在对aad的用户操作之前,必须要携带一个访问令牌,所以需要先获取token
public static string GetToken(){if (!isExpiredToken()){return Permissions.AAD_TOKEN;}var client = new RestClient($"{AzureADAppSetup.loginDomain}/{AzureADAppSetup.application}/oauth2/v2.0/token");var request = new RestRequest(Method.POST);request.AlwaysMultipartFormData = true;request.AddParameter("grant_type", AzureADAppTokenSetup.grantType);request.AddParameter("client_id", AzureADAppTokenSetup.clientId);request.AddParameter("client_secret", AzureADAppTokenSetup.clientSecret);request.AddParameter("scope", AzureADAppTokenSetup.scope);IRestResponse response = client.Execute(request);var content = response.Content;var j = JObject.Parse(content);var token = j.Value<string>("access_token");if (!string.IsNullOrEmpty(token)){Permissions.AAD_TOKEN = token;return token;}return "";}
三、对用户数据进行增删改查
1、添加用户资源
var identities = new List<IdentityVo>() { };identities.Add(new IdentityVo(){signInType = "userName",issuer = AzureAdB2CSetup.Domain,issuerAssignedId = userVo.Login,});var azureUserDto = AddExtensionAttribute(selectRoleModel.Name);azureUserDto.displayName = userVo.DisplayName;azureUserDto.passwordPolicies = "DisablePasswordExpiration";azureUserDto.passwordProfile = new Passwordprofile(){password = userVo.Password,forceChangePasswordNextSignIn = true,};azureUserDto.identities = identities;var aadInsert = AzureADApp.AddUserByToken(azureUserDto);//这里post一个数据,然后携带token即可// 封装 AddUserByToken方法var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users");var request = new RestRequest(Method.POST);request.AddHeader("Content-Type", "application/json");request.AddHeader("Authorization", $"Bearer {GetToken()}");request.AddParameter("application/json", JsonConvert.SerializeObject(azureUserDto), ParameterType.RequestBody);IRestResponse response = client.Execute(request);var content = response.Content;// 这里用到了扩展属性,如果有想知道了解更多的,可以单独问我。private dynamic AddExtensionAttribute(string role = "xxx"){IDictionary<string, object> result = new ExpandoObject();var extensionAttr = $"extension_{AzureADAppSetup.b2cExtensionsApplicationClientID}_{extensionAttribute}";result.Add(extensionAttr, role);return result as ExpandoObject;}
2、删除
直接根据aad的id,调用官方api,就能删除
public static bool DeleteUserByToken(string aadId = ""){if (string.IsNullOrEmpty(aadId)){return false;}var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users/{aadId}");var request = new RestRequest(Method.DELETE);request.AddHeader("Content-Type", "application/json");request.AddHeader("Authorization", $"Bearer {GetToken()}");IRestResponse response = client.Execute(request);var content = response.Content;return string.IsNullOrEmpty(content ?? "");}
3、修改
修改的入参和添加的几乎一样,自行修改即可,差别就是调用官方api不一样
var client = new RestClient($"{AzureADAppSetup.domain}/v1.0/users/{aadId}");var request = new RestRequest(Method.PATCH);request.AddHeader("Content-Type", "application/json");request.AddHeader("Authorization", $"Bearer {GetToken()}");request.AddParameter("application/json", azureUserDtoJson, ParameterType.RequestBody);IRestResponse response = client.Execute(request);
4、查询
查询就更简单了,直接看官网就行,这里就不介绍了。
除了上边的四个增删改查以外,还有一个就是修改密码,和重置密码。
这个在上边的修改模块已经说到了,主要是要封装参数
var azureUserDto = AddExtensionAttribute(selectRoleModel.Name);azureUserDto.displayName = userVo.DisplayName;azureUserDto.passwordPolicies = "DisablePasswordExpiration";azureUserDto.passwordProfile = new Passwordprofile(){password = userVo.Password,forceChangePasswordNextSignIn = true,};azureUserDto.identities = identities;
更多的操作,微软官网中,有更详细和丰富的API,欢迎查看。
