角色授权不适用于 React/ASP.NET Core API

Question

我使用 asp.net 核心中的默认反应模板创建了一个反应项目，其中包含个人用户帐户。 [Authorize] 属性工作正常，但是当我尝试实现 [Authorize(Roles = "Administrator")] 时，我得到一个 403 状态码。

我添加了 ProfileService 来添加声明。

配置文件服务.cs

public class ProfileService : IProfileService
{
    protected UserManager<ApplicationUser> mUserManager;

    public ProfileService(UserManager<ApplicationUser> userManager)
    {
        mUserManager = userManager;
    }

    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        ApplicationUser user = await mUserManager.GetUserAsync(context.Subject);

        IList<string> roles = await mUserManager.GetRolesAsync(user);

        IList<Claim> roleClaims = new List<Claim>();
        foreach (string role in roles)
        {
            roleClaims.Add(new Claim(JwtClaimTypes.Role, role));
        }
        context.IssuedClaims.AddRange(roleClaims);
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        return Task.CompletedTask;
    }
}

“角色”：“管理员”存在于我的 JWT 令牌中。

我在 controller 中添加了 Authorize 属性。

    [Authorize(Roles = "Administrator")]
    [HttpGet]
    public async Task<ActionResult<IEnumerable<Order>>> GetOrders()
    {
        return await _context.Orders.ToListAsync();
    }

我还配置了我的 Startup.cs，如下所示。

启动.cs

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors();

        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(
                Configuration.GetConnectionString("DefaultConnection")));

        //services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
        //    .AddEntityFrameworkStores<ApplicationDbContext>();

        services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
            .AddRoles<IdentityRole>()
            .AddRoleManager<RoleManager<IdentityRole>>()
            .AddEntityFrameworkStores<ApplicationDbContext>();

        services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

        services.AddAuthentication()
            .AddIdentityServerJwt();

        services.AddAuthorization();

        services.Configure<IdentityOptions>(options =>
        {
            options.ClaimsIdentity.RoleClaimType = JwtClaimTypes.Role;
        });

        services.AddTransient<IProfileService, ProfileService>();

        services.AddControllersWithViews();
        services.AddRazorPages();

        // In production, the React files will be served from this directory
        services.AddSpaStaticFiles(configuration =>
        {
            configuration.RootPath = "ClientApp/build";
        });
    }

不确定我在哪里出错了。

Answer 1

如果要使用内置角色授权，则必须更改分配角色声明的方式：

 roleClaims.Add(new Claim(JwtClaimTypes.Role, role));

对此：

 roleClaims.Add(new Claim(ClaimTypes.Role, role));

Answer 2

更好的方法是使用基于策略的授权https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-5.0 。

1. 在ConfigureServices中配置您的策略：

    services.AddAuthorization(options => { options.AddPolicy("RequireAdministratorRole", policy => policy.RequireClaim(ClaimTypes.Role, "Administrator")); });

2. 在 ProfileService 中

    var claims = roles.Select(role => new Claim(ClaimTypes.Role, role)).ToList();

3. 添加到 controller：

   [授权（策略=“RequireAdministratorRole”）]

它可能不起作用，因为 Microsoft 声明名称不一致可以通过以下方式修复：

            services.Configure<JwtBearerOptions>(options =>
        {
            var validator = options.SecurityTokenValidators.OfType<JwtSecurityTokenHandler>().SingleOrDefault();

            // Turn off Microsoft's JWT handler that maps claim types to .NET's long claim type names
            validator.InboundClaimTypeMap = new Dictionary<string, string>();
            validator.OutboundClaimTypeMap = new Dictionary<string, string>();
        });