问题
I'm working on a MVC application using Azure's AD authentication. I have been looking for a best practice or suggested way to 'extend' the user profile data. For example, I want the users to have a date of birth stored against themselves.
I have looked at this but it doesn't really answer my question: Active Directory User Data Storage
I can't find anything else kinda close to the solution either, all other solutions are for the other type of authentication.
One thing to note is the application only has read access to the AD, if that matters for what im asking. I hope to just create a User model which uses the User.Identity.GetUserId() (is this every going to change? if it does, what can I use that won't?).
Thanks in advance!
回答1:
I have a couple of options to suggest here.
Option 1 - you can use your own application profile store, for storing additional user profile information for properties not present in the directory. Basically when your app gets a user token (or a JWT token) for the signed in user, you'll get an objectId (oid) claim in the token. This is a unique id for the user (across ALL of Azure AD). You can use this as a key in your user profile store, and use this key to essentially link user info in AAD to user info in your app store.
Option 2 - use directory schema extensions. Azure AD (via Graph API) allows your application to declare additional properties to extend a your customer's Azure AD schema. Here you could extend the User entity with a new dateOfBirth property. Customers (admins) of your (multi-tenant app) would need to consent to allow your app to write to their directory, which on consent, would extend their User entity schema with the extension properties your app declares. Your app (or in fact any app) can then read and write to this new extension property. NOTE: currently there is no special access control on these extension properties - if a user or app has permissions to read a User entity (in this case), they'll be able to read any extension properties declared by any applications - including yours.
For more information on directory extensions please see https://msdn.microsoft.com/en-us/library/azure/dn720459.aspx and http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-preview.aspx (despite what this blog post says, schema extensions is now GA in version 1.5 of the Graph API). Directory schema extensions are also supported through the Graph Client Library, and you can see this in the console sample here on github: https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet.
HTHs,
来源:https://stackoverflow.com/questions/28690758/asp-net-azure-active-directory-user-profile-data