Microsoft.Identity.Web: OnTokenValidated 事件未触发
Microsoft.Identity.Web: OnTokenValidated event not triggered
我想做的是在身份验证后添加声明。
以下注册 OnTokenValidation 事件的示例无法解决问题。事件永远不会触发。
我正在使用 Microsoft.Identity.Web 在 Azure AD B2C 上进行身份验证。那部分有效!
如何使用 AddMicrosoftIdentityWebAppAuthentication 注册事件?
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] {Configuration["DemoApi:ServiceScope"]})
.AddInMemoryTokenCaches();
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = ctx =>
{
//query groups with graph api to get the role
// add claims
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "superadmin")
};
var appIdentity = new ClaimsIdentity(claims);
ctx.Principal.AddIdentity(appIdentity);
return Task.CompletedTask;
},
};
});
使用 MicrosoftIdentityOptions:
services.Configure<MicrosoftIdentityOptions>(options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = async ctx =>
{
//add claims
var scopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
var clientApp = ConfidentialClientApplicationBuilder
.Create(Configuration["AzureAD:ClientId"])
.WithTenantId(Configuration["AzureAD:TenantId"])
.WithClientSecret(Configuration["AzureAD:ClientSecret"])
.Build();
var authResult = await clientApp
.AcquireTokenOnBehalfOf(scopes, new UserAssertion(ctx.SecurityToken.RawData))
.ExecuteAsync().ConfigureAwait(false);
var graphClient = new GraphServiceClient(Configuration["DownstreamApi:BaseUrl"], new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);
return Task.CompletedTask;
}));
var identity = new ClaimsIdentity();
//https://graph.microsoft.com/1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true&$select=displayName
var groups = await graphClient.Me.TransitiveMemberOf.Request().Select("displayName").GetAsync().ConfigureAwait(false);
while (groups != null && groups.Count > 0)
{
foreach (var g in groups)
{
if (!(g is Group groupItem)) continue;
identity.AddClaim(new Claim(ClaimTypes.Role, groupItem.DisplayName));
}
if (groups.NextPageRequest != null)
groups = await groups.NextPageRequest.GetAsync().ConfigureAwait(false);
else
break;
}
ctx.Principal.AddIdentity(identity);
}
};
});
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
我想做的是在身份验证后添加声明。
以下注册 OnTokenValidation 事件的示例无法解决问题。事件永远不会触发。
我正在使用 Microsoft.Identity.Web 在 Azure AD B2C 上进行身份验证。那部分有效!
如何使用 AddMicrosoftIdentityWebAppAuthentication 注册事件?
services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
.EnableTokenAcquisitionToCallDownstreamApi(new string[] {Configuration["DemoApi:ServiceScope"]})
.AddInMemoryTokenCaches();
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = ctx =>
{
//query groups with graph api to get the role
// add claims
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "superadmin")
};
var appIdentity = new ClaimsIdentity(claims);
ctx.Principal.AddIdentity(appIdentity);
return Task.CompletedTask;
},
};
});
使用 MicrosoftIdentityOptions:
services.Configure<MicrosoftIdentityOptions>(options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = async ctx =>
{
//add claims
var scopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
var clientApp = ConfidentialClientApplicationBuilder
.Create(Configuration["AzureAD:ClientId"])
.WithTenantId(Configuration["AzureAD:TenantId"])
.WithClientSecret(Configuration["AzureAD:ClientSecret"])
.Build();
var authResult = await clientApp
.AcquireTokenOnBehalfOf(scopes, new UserAssertion(ctx.SecurityToken.RawData))
.ExecuteAsync().ConfigureAwait(false);
var graphClient = new GraphServiceClient(Configuration["DownstreamApi:BaseUrl"], new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);
return Task.CompletedTask;
}));
var identity = new ClaimsIdentity();
//https://graph.microsoft.com/1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true&$select=displayName
var groups = await graphClient.Me.TransitiveMemberOf.Request().Select("displayName").GetAsync().ConfigureAwait(false);
while (groups != null && groups.Count > 0)
{
foreach (var g in groups)
{
if (!(g is Group groupItem)) continue;
identity.AddClaim(new Claim(ClaimTypes.Role, groupItem.DisplayName));
}
if (groups.NextPageRequest != null)
groups = await groups.NextPageRequest.GetAsync().ConfigureAwait(false);
else
break;
}
ctx.Principal.AddIdentity(identity);
}
};
});
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);