Blazor WASM 授权不适用于 AAD 角色
Blazor WASM Authorization not working with AAD Roles
我正在尝试根据此文档后的用户定义角色设置 AAD 授权 https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/azure-active-directory-groups-and-roles?view=aspnetcore-3.1#user-defined-roles 我能够在应用程序清单中进行设置并获得 API 授权。但是,当我尝试在 UI 方面执行此操作时,我无法让声明出现。我做了 json 解释 类(DirectoryObjects、CustomUserAccount 和值(由目录对象使用))。我还添加了 CustomUserFactory 删除组的东西,因为我只关心角色:
private readonly ILogger<CustomUserFactory> _logger;
private readonly IHttpClientFactory _clientFactory;
public CustomUserFactory(IAccessTokenProviderAccessor accessor,
IHttpClientFactory clientFactory,
ILogger<CustomUserFactory> logger)
: base(accessor)
{
_clientFactory = clientFactory;
_logger = logger;
}
public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
CustomUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
foreach (var role in account.Roles)
{
userIdentity.AddClaim(new Claim("role", role));
}
}
return initialUser;
}
然后我按照文档中提到的修改了 program.cs:
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("apiaccessguid");
options.UserOptions.RoleClaim = "role";
}).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
当这不起作用时,我尝试将其添加为一项政策,但不幸的是:
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("Admin", policy =>
policy.RequireClaim("role", "admin"));
});
为了限制视图,我在代码中使用 user.IsInRole("admin")
并在 UI 中使用
<AuthorizeView Roles="admin">
<li class="nav-item px-3">
<NavLink class="nav-link" href="Admin">
Admin
</NavLink>
</li>
</AuthorizeView>
并且有政策:
<AuthorizeView Policy="Admin">
<Authorized>
<p>
The user is in the 'Administrator' AAD Administrative Role
and can see this content.
</p>
</Authorized>
<NotAuthorized>
<p>
The user is NOT in the 'Administrator' role and sees this
content.
</p>
</NotAuthorized>
</AuthorizeView>
和 none 成功了。有什么我想念的吗?我还验证了令牌具有管理员角色。
我通过在策略选项中使用 RequireRole 使其工作。
例如,我将应用角色添加到清单中:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Reader role.",
"displayName": "Reader",
"id": "41d9ba42-456e-4471-8946-24216e5f6c64",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Reader"
}
]
通过 RequireRole 配置策略:
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("app-reader", policy => policy.RequireRole("Reader"));
});
然后按照:
使用
<AuthorizeView Policy="app-reader">
<Authorized>
<p>
The user is in the 'Reader' Role
and can see this content.
</p>
</Authorized>
<NotAuthorized>
<p>
The user is NOT in the 'Reader' role
and sees this content.
</p>
</NotAuthorized>
</AuthorizeView>
或者,作为剃刀页面上的属性:
@attribute [Authorize(Policy = "app-reader")]
找到我的问题,代码没问题,问题出在Azure注册端,客户端使用在Azure客户端应用程序中注册的角色,而服务器使用服务器应用程序中的角色。所以请确保您在两者中都注册了具有相同角色的用户。
我正在尝试根据此文档后的用户定义角色设置 AAD 授权 https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/azure-active-directory-groups-and-roles?view=aspnetcore-3.1#user-defined-roles 我能够在应用程序清单中进行设置并获得 API 授权。但是,当我尝试在 UI 方面执行此操作时,我无法让声明出现。我做了 json 解释 类(DirectoryObjects、CustomUserAccount 和值(由目录对象使用))。我还添加了 CustomUserFactory 删除组的东西,因为我只关心角色:
private readonly ILogger<CustomUserFactory> _logger;
private readonly IHttpClientFactory _clientFactory;
public CustomUserFactory(IAccessTokenProviderAccessor accessor,
IHttpClientFactory clientFactory,
ILogger<CustomUserFactory> logger)
: base(accessor)
{
_clientFactory = clientFactory;
_logger = logger;
}
public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
CustomUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
foreach (var role in account.Roles)
{
userIdentity.AddClaim(new Claim("role", role));
}
}
return initialUser;
}
然后我按照文档中提到的修改了 program.cs:
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("apiaccessguid");
options.UserOptions.RoleClaim = "role";
}).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
当这不起作用时,我尝试将其添加为一项政策,但不幸的是:
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("Admin", policy =>
policy.RequireClaim("role", "admin"));
});
为了限制视图,我在代码中使用 user.IsInRole("admin")
并在 UI 中使用
<AuthorizeView Roles="admin">
<li class="nav-item px-3">
<NavLink class="nav-link" href="Admin">
Admin
</NavLink>
</li>
</AuthorizeView>
并且有政策:
<AuthorizeView Policy="Admin">
<Authorized>
<p>
The user is in the 'Administrator' AAD Administrative Role
and can see this content.
</p>
</Authorized>
<NotAuthorized>
<p>
The user is NOT in the 'Administrator' role and sees this
content.
</p>
</NotAuthorized>
</AuthorizeView>
和 none 成功了。有什么我想念的吗?我还验证了令牌具有管理员角色。
我通过在策略选项中使用 RequireRole 使其工作。
例如,我将应用角色添加到清单中:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Reader role.",
"displayName": "Reader",
"id": "41d9ba42-456e-4471-8946-24216e5f6c64",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Reader"
}
]
通过 RequireRole 配置策略:
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("app-reader", policy => policy.RequireRole("Reader"));
});
然后按照:
使用<AuthorizeView Policy="app-reader">
<Authorized>
<p>
The user is in the 'Reader' Role
and can see this content.
</p>
</Authorized>
<NotAuthorized>
<p>
The user is NOT in the 'Reader' role
and sees this content.
</p>
</NotAuthorized>
</AuthorizeView>
或者,作为剃刀页面上的属性:
@attribute [Authorize(Policy = "app-reader")]
找到我的问题,代码没问题,问题出在Azure注册端,客户端使用在Azure客户端应用程序中注册的角色,而服务器使用服务器应用程序中的角色。所以请确保您在两者中都注册了具有相同角色的用户。