未使用IdentityServer3承载令牌调用WebAPI授权属性
[英]WebAPI Authorization Attribute not being called with IdentityServer3 Bearer Token
问题描述
I have a WebAPI 2 project that uses a token issued by an IdentityServer3 token provider. 
我有一个WebAPI 2项目,它使用IdentityServer3令牌提供程序发出的令牌。 In my Startup.cs file I have the IdentityServerBearerTokenAuthorization middleware implemented and it, along with a global AuthorizateAttribute filter, is requiring that a valid token be present in the request. 在我的Startup.cs文件中,我实现了IdentityServerBearerTokenAuthorization中间件,它与全局AuthorizateAttribute过滤器一起要求请求中存在有效令牌。 However, I have also added ClaimsTransformation so I can extract "roles" from the claims in either a token issued using the implicit flow or a token issued for the client credential flow. 但是,我还添加了ClaimsTransformation,因此我可以在使用隐式流发出的令牌或为客户端凭据流发出的令牌中从声明中提取“角色”。 I can't use a scope here because, I have 1 scope that gives you access to use my API, but all clients are not allowed to use all api endpoints. 我不能在这里使用范围,因为我有1个范围允许您访问使用我的API,但不允许所有客户端使用所有api端点。
Startup.cs Startup.cs
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions()
{
Authority = ConfigurationManager.AppSettings["IdentityServer"],
RequiredScopes = new[] { "my.api" },
});
httpConfig.MapHttpAttributeRoutes();
httpConfig.Filters.Add(new AuthorizeAttribute());
//SwaggerConfig.Register(httpConfig);
app.UseAutofacMiddleware(container);
app.UseAutofacWebApi(httpConfig);
app.UseWebApi(httpConfig);
app.UseClaimsTransformation(identity =>
{
var principal = new ClaimsPrincipal(identity);
if (!identity.HasClaim(c => c.Type == "name") && identity.HasClaim(c => c.Type == "client_name"))
{
identity.Identities.First().AddClaim(new Claim("name", identity.Claims.First(c => c.Type == "client_name").Value));
}
//we want to remove the client_ from the claims so we can evaluate clients like they are users
if (identity.Claims.Any(c => c.Type.Contains("client_")))
{
foreach (var claim in identity.Claims.Where(c => c.Type.Contains("client_")))
{
var newClaimType = claim.Type.Replace("client_", "");
identity.Identities.First().AddClaim(new Claim(newClaimType, claim.Value));
}
}
//set the scopes as roles also
if (identity.Claims.Any(c => c.Type == "scope"))
{
identity.Identities.First().AddClaims(identity.Claims.Where(c => c.Type == "scope").Select(c => new Claim("role", c.Value)));
}
return Task.FromResult(principal);
});
On my APIController operation, I have an Authorize attribute with a Roles property defined. 在我的APIController操作中,我有一个Authorize属性,其中定义了Roles属性。 The global Authorize attribute is working but the check for roles never happens. 全局Authorize属性正在运行,但检查角色永远不会发生。 Am I missing something? 我错过了什么吗? \\ API Controller \\ API控制器
[HttpDelete]
[Authorize(Roles = "item.deleter")]
[Route("{itemId:guid}")]
public async Task<HttpResponseMessage> DeleteAsync([ValidGuid] Guid itemId)
{
_log.Audit.Info($"Received Delete request for item {itemId} from user {User.Identity?.Name}.");
if (!ModelState.IsValid)
....
1 个解决方案
解决方案1
2 2017-03-26 17:45:15
Your authroize attribute is most likely firing before your claims transform fires. 您的authroize属性很可能在声明转换触发之前触发。
In your owin pipeline, you've added webAPI before the claims transform. 在您的owin管道中,您在声明转换之前添加了webAPI。 As your request travels along the pipeline, web api will get the request & run the authorize against it before the claims transform can do its bit. 随着您的请求沿着管道传输,web api将获得请求并在声明转换完成之前对其进行授权。
Try moving the UseClaimsTransformation before the UseWebApi 尝试在UseClaimsTransformation之前移动UseWebApi
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.