stackoom
  简体   繁体   中英

Change Authorization and Authentication Order Net.Core 3.1

 原文  2021-12-25 06:25:49       asp.net-core/ authentication/ identityserver4/ action-filter/ authorize

Question

We have an Identity Server 4 to authorize users and custom authorization in API project.

I want to set both of these authorizations together, but first check Identity Server 4 and then my custom authorization.

The problem is, this order does not work and my custom authorization executes first. How can I change this order?

Startup.cs

        services.AddAuthorization(authorizationOptions =>
        {
            authorizationOptions.AddPolicy(
               name: "UserAccess",
               configurePolicy: policyBuilder =>
               {
                   policyBuilder.RequireAuthenticatedUser();
                   policyBuilder.AddRequirements(new UserAccessRequirement());
               });
        }).AddAuthentication(defaultScheme: IdentityServerAuthenticationDefaults.AuthenticationScheme).AddIdentityServerAuthentication(options =>
        {
            options.Authority = "https://*******.land/";
            options.ApiName = "****.Api";
            options.RequireHttpsMetadata = false;
        });

My custom authorization:

public class UserAccessHandler : AuthorizationHandler<UserAccessRequirement>
{
    private readonly IHttpContextAccessor _accessor;

    public UserAccessHandler(IHttpContextAccessor accessor)
    {
        _accessor = accessor ?? throw new ArgumentNullException(nameof(accessor));
    }

    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, UserAccessRequirement requirement)
    {
        var httpContext = _accessor.HttpContext;
        /// Some Code
    }
}

In API controllers:

[Route("api/[controller]")]
[ApiController]
[Authorize]
public class TestController : ControllerBase
{
        [Authorize(policy: "UserAccess")]
        [HttpGet("[action]")]
        public IActionResult Get()
        {
            return Ok("Access");
        }
}

Updated:

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });

1 answers

solution1
 0  2021-12-25 06:54:22

I wouldn't use the AddIdentityServerAuthentication method for new development as it seems to be deprecated and not supported anymore

see https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation

In your API that receives access tokens from your client you should use:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(opt =>
    {
        opt.Audience = "payment";  //api name
        opt.Authority = "https://identityservice.local:6001";  //URL to your identityserver
    });

AddIdentityServerAuthentication is not meant to be used in the API.

Updated:

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure net.core api without a authentication How to configure properly Identity core with DI on net.core 3.1? Log to database when authorization fail on Web API [Net.Core] Authorization failing for custom authentication handler for ASP.NET Core 3.1? Authentication and authorization with multiple middlewares in asp.net core 3.1+ Authorization with windows authentication in ASP.NET Core 3.1 NET Core 3.1 MVC Authorization/Authentication with token (JWT) obtained externally in separate Net Core 3.1 Web Api Asp.NET Core 3.1 middleware’s and authorization handlers order C# - ASP NET.CORE 3.1 - problem with update record's in table .Net core 3.1 custom authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM