Blazor 服务器:努力将策略添加到 Google 身份验证以仅限制对我的帐户的访问
Blazor server : Struggling to add policy to Google authentication to restrict access to my account only
在我的应用程序成功通过 Google 验证我的应用程序后,我正在尝试添加一个策略,该策略将仅限制对我的 google 帐户的访问。
我使用本教程使 google 身份验证正常工作:https://www.youtube.com/watch?v=H4G0kqIG1_0
并且我参考了这个堆栈溢出问题来添加我的策略:
这个问题的答案似乎不适合我,我试图让声明 returns 成为一个空值,但我不知道为什么。
下面是Startup.cs
上的相关代码
services.AddAuthentication("Cookies")
.AddCookie(opt =>
{
opt.Cookie.Name = "GoogleAuth";
opt.LoginPath = "/auth/google-login";
})
.AddGoogle(opt =>
{
opt.ClientId = Environment.GetEnvironmentVariable("GOOGLE_CLIENT_ID");
opt.ClientSecret = Environment.GetEnvironmentVariable("GOOGLE_CLIENT_SECRET");
opt.Scope.Add("openid");
opt.Scope.Add("profile");
opt.Scope.Add("email");
opt.Events.OnCreatingTicket = context =>
{
string picture = context.User.GetProperty("picture").GetString();
string name = context.User.GetProperty("name").GetString();
string given_name = context.User.GetProperty("given_name").GetString();
context.Identity.AddClaim(new Claim("picture", picture));
context.Identity.AddClaim(new Claim("name", name));
context.Identity.AddClaim(new Claim("given_name", given_name));
return Task.CompletedTask;
};
});
services.AddAuthorization(opt =>
{
opt.AddPolicy("MeOnly", policy =>
{
policy.RequireAssertion(context =>
{
// returns a null value
var name = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Name)?.Value;
/*
* I want to add some logic to only give access to my Google account
*/
return false;
});
});
});
您可以通过帐户 ID 或电子邮件声明(或任何其他声明)来限制访问。
创建一个策略并要求一个特定的索赔值。在这里,我使用 a FallbackPolicy 确保所有端点都受到此策略的保护,除非另有说明。
services.AddAuthorization(options =>
options.FallbackPolicy = new AuthorizationPolicyBuilder(
GoogleDefaults.AuthenticationScheme
)
.RequireAuthenticatedUser()
.RequireClaim(ClaimTypes.Email, "my.email@gmail.com")
.Build()
);
使它可配置可能会有用。将此添加到 appsettings.json
{
"AuthorizedEmails": [
"my.email@gmail.com",
"someone.else@gmail.com"
],
// ...
}
然后我们可以在运行时读取这个配置并应用它:
var authorizedEmails = Configuration.GetSection("AuthorizedEmails").Get<string[]>();
services.AddAuthorization(options =>
options.FallbackPolicy = new AuthorizationPolicyBuilder(
GoogleDefaults.AuthenticationScheme
)
.RequireAuthenticatedUser()
.RequireClaim(ClaimTypes.Email, authorizedEmails)
.Build()
);
更多信息
在我的应用程序成功通过 Google 验证我的应用程序后,我正在尝试添加一个策略,该策略将仅限制对我的 google 帐户的访问。
我使用本教程使 google 身份验证正常工作:https://www.youtube.com/watch?v=H4G0kqIG1_0
并且我参考了这个堆栈溢出问题来添加我的策略:
这个问题的答案似乎不适合我,我试图让声明 returns 成为一个空值,但我不知道为什么。
下面是Startup.cs
上的相关代码services.AddAuthentication("Cookies")
.AddCookie(opt =>
{
opt.Cookie.Name = "GoogleAuth";
opt.LoginPath = "/auth/google-login";
})
.AddGoogle(opt =>
{
opt.ClientId = Environment.GetEnvironmentVariable("GOOGLE_CLIENT_ID");
opt.ClientSecret = Environment.GetEnvironmentVariable("GOOGLE_CLIENT_SECRET");
opt.Scope.Add("openid");
opt.Scope.Add("profile");
opt.Scope.Add("email");
opt.Events.OnCreatingTicket = context =>
{
string picture = context.User.GetProperty("picture").GetString();
string name = context.User.GetProperty("name").GetString();
string given_name = context.User.GetProperty("given_name").GetString();
context.Identity.AddClaim(new Claim("picture", picture));
context.Identity.AddClaim(new Claim("name", name));
context.Identity.AddClaim(new Claim("given_name", given_name));
return Task.CompletedTask;
};
});
services.AddAuthorization(opt =>
{
opt.AddPolicy("MeOnly", policy =>
{
policy.RequireAssertion(context =>
{
// returns a null value
var name = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Name)?.Value;
/*
* I want to add some logic to only give access to my Google account
*/
return false;
});
});
});
您可以通过帐户 ID 或电子邮件声明(或任何其他声明)来限制访问。
创建一个策略并要求一个特定的索赔值。在这里,我使用 a FallbackPolicy 确保所有端点都受到此策略的保护,除非另有说明。
services.AddAuthorization(options =>
options.FallbackPolicy = new AuthorizationPolicyBuilder(
GoogleDefaults.AuthenticationScheme
)
.RequireAuthenticatedUser()
.RequireClaim(ClaimTypes.Email, "my.email@gmail.com")
.Build()
);
使它可配置可能会有用。将此添加到 appsettings.json
{
"AuthorizedEmails": [
"my.email@gmail.com",
"someone.else@gmail.com"
],
// ...
}
然后我们可以在运行时读取这个配置并应用它:
var authorizedEmails = Configuration.GetSection("AuthorizedEmails").Get<string[]>();
services.AddAuthorization(options =>
options.FallbackPolicy = new AuthorizationPolicyBuilder(
GoogleDefaults.AuthenticationScheme
)
.RequireAuthenticatedUser()
.RequireClaim(ClaimTypes.Email, authorizedEmails)
.Build()
);