I'm trying to design an enterprise application with different accounts and users.
What's the best way to map users to account ID then control their resource access?
Assuming I store account ID in dynamo DB and use AppSync to access data?
e.g. user 1 belongs to account A and can only access information for account A through an angular SPA.
You can either
store Account ID in a custom Cognito User Pool attribute, or
you can save User Pool's User ID <-> Account ID mapping in Dynamo DB.
Either way, upon API request you can now find requester's associated account ID, depending on where you stored the mapping:
from ID token's custom attribute
make a request to DynamoDB to find out mapping for given user ID (sub field in ID or Access token).
Knowing Account ID associated with the user, you can make authorization decision in your Appsync resolver (or Lambda authorizer, if that's possible).
Related
I'm using Blazor webassembly with Azure ADB2C. A typical task is to retrieve only those records for the logged in user. Which field from AzureB2C is the best practice to use as the authorized user's primary key?
I assumed that using the object ID which is a guid and created by Azure ADB2C would be the correct unique field. However I also see examples on the internet using either the user's email and/or user's name.
I plan on using this field as as a unique field in database tables for the user.
Per documentation, Microsoft Graph uses userprincipalname or objectID for queries
GET /users/{id | userPrincipalName}
You can apply filters to Microsoft Graph calls but generally the objectID is immutable and is the primary identifier that I've seen with enterprise applications/services.
We use Azure Active Directory(OpenId and OAuth2) for authorization and authentication needs.
We also would like to keep users' profiles in one of our microservices, let's name this service "User Preferences".
The service will store many specific fields required only for one of our products and it is why we don't want to store them in Active Directory(custom fields).
Having all of this, we are searching for the best Azure AD field we can use to connect user's profile to Active Directory account.
There're several candidates:
UPN - in some cases JWT doesn't contain it
ObjectId - always available, but not read-friendly and unique in multi tenant structure
Unique Name - should be used only to display it on UI(recommended by Azure)
Could you please recommend the best field for our case?
Compiling my comments as an answer:
Object id or name identifier (sub claim) are the only immutable fields you can choose from. Using the UPN is dangerous as it can be changed.
Object id is unique across directories, though if you support multiple tenants you should store the tenant id (tid) as well.
UPN can change when an admin changes it.
And also, if a user is invited as a guest to other AAD tenants, they'll have an object id per directory, it won't be the same.
I have a webapi that is published as a service on Azure. It uses the integrated AD security.
In my Controller, I can get access to the ClaimsPrincipal via the User property. Which of ClaimsPrincipal's properties can be used to uniquely identify the user so that I can use that value to search a SQL table for that users data or store data to a SQL table and include the users unique identification? The identity property has a Name but I was thinking of a more unique identifier.
Or is there a different intended strategy to do this?
AFAIK, you can use either, the upn or the oid (Object Identifier) claim.
The UPN is typically your login name e. g. yourname#yourtenant.onmicrosoft.com whereas the oid is the ObjectId of that user.
Note: If you delete and recreate a user with the same email, the upn will be the same whereas the oid will change.
I need to implement the store based access to web portal. For that we have created the following roles
Admin
Store Manager1
Store Manager2
I am able to implement authorization for Store Manger 1, Store Manager 2. If there are around 500 stores do I need to add 500 roles in active directory since each role has different view?
It sounds like quite a lot of work to make roles for each store. Though you could automate it with PowerShell, to me it seems a bit weird.
You could instead just have a Store Manager role, and then on your app side check which stores they access to. One way would be a relational table with one column being the user's id and the other a store id they have access to. You can query that when you authenticate the user and store the values in claims/session data.
We are using Google for corporate since last 5 years. There have been many dozens google groups created by different site/business division/local administrators. Now we need to know, for each employee, which all groups he is a part of. Does google provide any API to fetch this details ?
Yes. The Directory API has a function to Retrieve all groups for a domain or the account. Here's a part in the docs that I think is what you are specifically aiming for:
All groups for the account — Use the customer argument with either my_customer or the account's customerId value. As an account administrator, use the string my_customer to represent your account's customerId. If you are a reseller accessing a resold customer's account, use the resold account's customerId. For the customerId value use the account's primary domain name in the Retrieve all users in a domain operation's request. The resulting response has the customerId value.