[英]Blazor using Azure AD authentication allowing anonymous access
I'm currently writing a (Server side) Blazor application that includes the default AzureAD Authentication.我目前正在编写一个(服务器端)Blazor 应用程序,其中包括默认的 AzureAD 身份验证。
This works well for authenticated users - challenging on the entrance ( _Host.cshtml
) file, redirecting and then back once authenticated.这适用于经过身份验证的用户 - 挑战入口 (
_Host.cshtml
) 文件,重定向然后在经过身份验证后返回。
I need to have a couple of pages not requiring authentication - I don't want the user being challenged and redirected to Microsoft.我需要有几个不需要认证的页面-我不希望用户受到挑战,并重定向到微软做。
What is the correct way to do this?这样做的正确方法是什么? I have experimented with the
AllowAnonymousAttribute
, the AllowAnonymousToPage
razor pages options, nothing seems to stop the challenge.我已经尝试过
AllowAnonymousAttribute
, AllowAnonymousToPage
剃刀页面选项,似乎没有什么能阻止挑战。
Any help would be greatly appreciated!任何帮助将不胜感激!
Below is my setup for Authentication (ConfigureServices):以下是我的身份验证设置(ConfigureServices):
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages();
services.AddServerSideBlazor();
services.AddTelerikBlazor();
}
And then the appropriate part in Configure:然后是配置中的相应部分:
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
I found what I had to do was add the following to _Hosts.cshtml我发现我必须做的是将以下内容添加到 _Hosts.cshtml
@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]
Once I did this authorization was no longer required on any of the pages by default and I could then add it to the pages where I wanted to require it.一旦我这样做了,默认情况下,任何页面上都不再需要此授权,然后我可以将其添加到我想要它的页面中。
For example if you wanted to secure the Counter.razor page just add an Authorize attribute to the top:例如,如果您想保护 Counter.razor 页面,只需在顶部添加一个 Authorize 属性:
@attribute [Authorize]
So now if you tried to access the counter page you will get a Not authorized message.因此,现在如果您尝试访问柜台页面,您将收到一条未授权消息。
If you want to remove the counter link when the user is not logged in modify the NavMenu.razor and surround the Counter link with an <AuthorizeView> </AuthorizeView>
as so:如果您想在用户未登录时删除计数器链接,请修改 NavMenu.razor 并用
<AuthorizeView> </AuthorizeView>
包围计数器链接,如下所示:
<AuthorizeView>
<li class="nav-item px-3">
<NavLink class="nav-link" href="counter">
<span class="oi oi-plus" aria-hidden="true"></span> Counter
</NavLink>
</li>
</AuthorizeView>
Ideally I would have liked to just opt out of authorization for the index page and have everything else secured by default but I could not find a way to get that to work.理想情况下,我只想选择退出对索引页面的授权,并默认保护其他所有内容,但我找不到让它工作的方法。 If I tried adding the
@attribute [AllowAnonymous]
to the Index.razor page it seemed to ignore it.如果我尝试将
@attribute [AllowAnonymous]
添加到 Index.razor 页面,它似乎忽略了它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.