[英]Role-based authorization in Blazor WebAssembly .Net5 MsalAuthentication
My Blazor Web Assembly app is registered in Azure Active Directory (single tenant my organization only).我的 Blazor Web 程序集应用程序已在 Azure Active Directory 中注册(仅限单租户我的组织)。
Groups claim has been added to the token configuration with the optional setting to emit groups as role claims.组声明已添加到令牌配置中,并具有将组作为角色声明发出的可选设置。
I am able to run the app and authenticate, but any page with Authorize attribute defining specific roles within my organization shows the "You are not authorized to access this resource."我能够运行该应用程序并进行身份验证,但是任何具有授权属性的页面在我的组织中定义特定角色都会显示“您无权访问此资源”。 message configured in App.razor for Not Authorized
在 App.razor 中配置的未授权消息
I have confirmed that I am receiving the roles Claim, but is a json array of role names.我已经确认我收到了角色声明,但它是角色名称的 json 数组。
I have tried creating a custom AccountClaimsPrincipalFactory
where I deserialize the roles claim value and add a new claim for each role name in the array, but still get the same result.我尝试创建一个自定义
AccountClaimsPrincipalFactory
,在其中反序列化角色声明值并为数组中的每个角色名称添加一个新声明,但仍然得到相同的结果。
public class CustomAccountClaimsPrincipalFactory : AccountClaimsPrincipalFactory<RemoteUserAccount>
{
public CustomAccountClaimsPrincipalFactory(IAccessTokenProviderAccessor accessor)
: base(accessor) { }
public async override ValueTask<ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
{
var user = await base.CreateUserAsync(account, options);
if (!user.Identity.IsAuthenticated)
{
return user;
}
if (user.Identity is not ClaimsIdentity identity)
{
return user;
}
var roleClaims = identity.FindAll("roles");
if (roleClaims is null || !roleClaims.Any())
{
return user;
}
foreach (var roleClaim in roleClaims)
{
try
{
var roleNames = JsonConvert.DeserializeObject<string[]>(roleClaim.Value);
foreach (var roleName in roleNames)
{
identity.AddClaim(new Claim(ClaimTypes.Role, roleName));
}
}
catch
{
// continue
}
}
return user;
}
}
And in my Program.cs在我的 Program.cs
_ = builder.Services.AddMsalAuthentication(options =>
{
Configuration.Bind("AzureAD", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("app-scope");
})
.AddAccountClaimsPrincipalFactory<CustomAccountClaimsPrincipalFactory>();
And on my page在我的页面上
@using Microsoft.AspNetCore.Authorization
@attribute [Authorize(Roles="GROUP1, GROUP2, GROUP3")]
I have confirmed that the AccountClaimsPrincipalFactory
has added each role as a new claim and I am able to view the user's profile information and get a true response from user.IsInRole("GROUP1");
我已确认
AccountClaimsPrincipalFactory
已将每个角色添加为新声明,并且我能够查看用户的个人资料信息并从user.IsInRole("GROUP1");
, however, on any page with the [Authorize]
attribute, I still see the same error: ,但是,在任何具有
[Authorize]
属性的页面上,我仍然看到相同的错误:
You are not authorized to access this resource
您无权访问此资源
Am I missing something?我错过了什么吗? Any suggestions?
有什么建议么?
The solution was to modify the token configuration to add groups claim using Group ID rather than sAMAcountName, and then use the Group's Object id value in the page's [Authorize]
attribute and in AuthorizeView components.解决方案是修改令牌配置以使用组 ID 而不是 sAMAcountName 添加组声明,然后在页面的
[Authorize]
属性和 AuthorizeView 组件中使用组的 Object id 值。
@using Microsoft.AspNetCore.Authorization
[Authorize(Roles="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy, zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz")]
<div>
<p>Only user's in the "X", "Y", or "Z" role are authorized to view this page</p>
<AuthorizeView Roles="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz">
<p>This content is only rendered for user's in the "X" or "Z" role</p>
</AuthorizeView>
<AuthorizeView Roles="yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy">
<p>This content is only rendered for user's in the "Y" role</p>
</AuthorizeView>
</div>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.