So I've kicked things off by following Microsoft docs:
Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory
Azure AD Groups, Administrative Roles, and user-defined roles
It seems to be setup fine on Azure's side of things:
This works fine:
@page "/clients"
@inject NavigationManager navigationManager
@inject HttpClient Http
@inject AppData appData
@inject AuthenticationStateProvider AuthenticationStateProvider
@attribute [Authorize]
I've printed the claims to see what's happening:
protected async override Task OnInitializedAsync()
{
var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
var user = authState.User;
foreach (var claim in user.Claims)
{
System.Diagnostics.Debug.WriteLine(claim.Type + ":" + claim.ValueType + ":" + claim.Value);
}
}
This is one of lines printed:
roles:http://www.w3.org/2001/XMLSchema#string:["Admin"]
So I can see that the appRole I added in the app manifest on Azure got here. (GUIDs Hidden below for privacy)
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can view everything.",
"displayName": "Global Viewer",
"id": "IDGOESHERE",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "GlobalViewer"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Admins can access restricted areas.",
"displayName": "Admin",
"id": "IDGOESHERE",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Admin"
}
],
Also added my user to the Admin role on Enterprise Applications.
However adding the role in [Authorize] attribute directive makes me lose access to page: (You are not authorized to access this resource.)
attribute [Authorize(Roles = "Admin")]
This is in Program.cs (I have actual GUIDs in "GUIDGOESHERE")
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("GUIDGOESHERE/EmployeesAccess");
options.ProviderOptions.DefaultAccessTokenScopes.Add("GUIDGOESHERE/AdminAccess");
options.UserOptions.RoleClaim = "roles";
});
The problem may be in my role claim. Maybe the problem is this claim looks like an array? If so how do I fix it?
Turns out Azure may be a little ahead of ASP.NET Core
The Azure AD authentication default template doesn't work out of the box, it needs a little tweaking.
Follow the steps in MS docs here: Azure AD Groups, Administrative Roles, and user-defined roles
Long story short:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.