stackoom
  简体   繁体   中英

Custom authorization with Azure AD authentication

 原文  2017-12-05 11:09:46       asp.net/ authorization/ azure-active-directory/ azure-service-fabric/ asp.net-core-2.0

Question

I am developing a service fabric stateless web application using ASP.NET Core 2.0. This application is using Azure AD to authenticate users from multiple AD tenants. What I want to achieve is using my own role based authorization which can be configured in my application using the authorized user. These roles are stored in my application.

In my current implementation I add authorization to my application by adding a policy with my custom IAuthorizationRequirement . During the authorization of the requirement claims are added based on the users permissions. This means that claims are added post-login. The [Authorize(Roles = "role")] attribute also doesn't work because the role claims are added post-login

What is the correct way to implement this custom authorization which uses the authenticated user from Azure AD?

1 answers

solution1
 2 ACCPTED  2017-12-05 13:05:58

You can add your own custom claims after the user signs in through the OnTokenValidated event: 

.AddOpenIdConnect(o =>
{
    Configuration.GetSection("OpenIdConnect").Bind(o);
    o.Events = new OpenIdConnectEvents
    {
        OnTokenValidated = async ctx =>
        {
            string oid = ctx.Principal.FindFirstValue("http://schemas.microsoft.com/identity/claims/objectidentifier");

            var db = ctx.HttpContext.RequestServices.GetRequiredService<AuthorizationDbContext>();

            var objectIdGuid = Guid.Parse(oid);
            bool isSuperAdmin = await db.SuperAdmins.AnyAsync(a => a.ObjectId == objectIdGuid);
            if (isSuperAdmin)
            {
                var claims = new List<Claim>();
                claims.Add(new Claim(ClaimTypes.Role, Roles.SuperAdmin));
                var appIdentity = new ClaimsIdentity(claims, "MyTestAppIdentity");

                ctx.Principal.AddIdentity(appIdentity);
            }
        }
    };
});

Here as an example we check from a database whether the user is a super admin. Then if they are, we create a new identity for them with the necessary role as a claim.

All the identities are combined on the principal to produce their claim set, so all the other claims will still be available too.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Use Azure AD only for Authentication and not Authorization Azure AD Integrated Authentication Stormpath for JWT authentication/authorization with Azure Azure AD authentication between applications Alexa skill and Azure AD authentication WebForms authentication against Azure AD Azure AD Authentication alongwith Passport Authentication Azure API APP authentication using Azure AD Azure AD Authentication: Redirect to originating page Include Azure AD authentication in legacy “aspx” project
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM