[英]Role based authorization in ASP.NET Core 3.1 with Identity and ExternalLogin
[英]Role based authorization in asp core 2 with jwt tokens and identity
我在 asp core 2 中尝试了一些带有 jwt 令牌和 asp core 身份的授权示例。 我已经按照这个代码https://github.com/SunilAnthony/SimpleSecureAPI并且它工作正常。
问题是基于角色的授权。 我试过这样的事情: http : //www.jerriepelser.com/blog/using-roles-with-the-jwt-middleware/
结果很奇怪。 我的控制器方法:
[HttpGet]
[Authorize]
public IActionResult Get()
{
IEnumerable<Claim> claims = User.Claims; // contains claim with Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" and Value = "Administrator"
bool role = User.IsInRole("Administrator"); // true
bool claim = User.HasClaim(ClaimTypes.Role, "Administrator"); // true
return Ok(claims);
}
当我仅使用属性[Authorize]
调用此端点并检查当前用户的代码中的角色/声明时,这似乎很好(两个检查都为真),但是当我将授权属性更改为[Authorize(Roles = "Administrator")]
它不起作用 - >当我用这个属性调用这个端点时,我会收到 404 。 我不知道问题出在哪里。 我的启动类与上面的 git 链接中的完全相同,我刚刚在 access_token 的有效负载中添加了字符串角色名称列表,然后是“roles”数组:
它是硬编码的,但我已经改变了我的登录方法,只是为了这样的测试:
[HttpPost("login")]
public async Task<IActionResult> SignIn([FromBody] Credentials Credentials)
{
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(Credentials.Email, Credentials.Password, false, false);
if (result.Succeeded)
{
IdentityUser user = await _userManager.FindByEmailAsync(Credentials.Email);
List<string> roles = new List<string>();
roles.Add("Administrator");
return new JsonResult(new Dictionary<string, object>
{
{ "access_token", GetAccessToken(Credentials.Email, roles) },
{ "username", user.Email },
{ "expired_on", DateTime.UtcNow.AddMinutes(_tokenLength) },
{ "id_token", GetIdToken(user) }
});
}
return new JsonResult("Unable to sign in") { StatusCode = 401 };
}
return new JsonResult("Unable to sign in") { StatusCode = 401 };
}
和GetAccessTokenMethod
:
private string GetAccessToken(string Email, List<string> roles)
{
var payload = new Dictionary<string, object>
{
{ "sub", Email },
{ "email", Email },
{ "roles", roles },
};
return GetToken(payload);
}
[Authorize(Roles = "Administrator")]
属性的问题在哪里?
问题在于索赔的类型:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
不知何故, [Authorize]
属性在与Roles
值一起使用时无法工作。 所以这个[Authorize(Roles = "Administartor")]
不起作用。 您必须通过在Startup
类上应用转换来将声明类型映射到唯一的role
。
如果你有一个基于Owin
的项目:
app.UseClaimsTransformation(incoming =>
{
// either add claims to incoming, or create new principal
var appPrincipal = new ClaimsPrincipal(incoming);
if (appPrincipal.HasClaim(x => x.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"))
{
var value = appPrincipal.Claims.First(x =>
x.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role").Value;
incoming.Identities.First().AddClaim(new Claim("role", value));
}
return Task.FromResult(appPrincipal);
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.