Roles/Groups Azure Active Directory 并使用 Blazor WASM AuthorizeView 访问它们

Roles/Groups Azure Active Directory and access them with Blazor WASM AuthorizeView

嘿,登录和注销工作正常。

我在应用程序注册中创建了角色

在清单中我更改了 groupMembershipClaims 从空到“全部”

"groupMembershipClaims": "All",

这些角色已分配给我 (Alex) 和 2 个创建的组(企业应用程序屏幕截图):

Programm.cs / 添加了 options.UserOptions.RoleClaim = "appRole"

  builder.Services.AddMsalAuthentication(options =>
    {
        builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
        options.ProviderOptions.DefaultAccessTokenScopes
            .Add("https://graph.microsoft.com/User.Read");
        options.ProviderOptions.LoginMode = "redirect";
        options.UserOptions.RoleClaim = "appRole";
    });

当我尝试访问它们时,例如使用:Roles="dog_cc_ma"

@page "/"
@inject Microsoft.Extensions.Localization.IStringLocalizer<ResourceFiles.Resource> localizer
@attribute [Authorize]

<h1>@localizer["helloworld"]!</h1>

<AuthorizeView>
    <Authorized>
        Hello, @context.User.Identity?.Name! <br />
        @context.User.Identity?.AuthenticationType;
           <ul>
                <li>@foreach (var claim in context.User.Identities)
                {<ul>
                    <li>@claim.RoleClaimType</li>
                    <li>@claim.AuthenticationType</li>
                    <li>@claim.Actor</li>
                    <li>@claim.NameClaimType</li>
                    <li>@claim.Label</li>
                </ul>
                }
                </li>
            </ul> 
    </Authorized>
    <NotAuthorized>
  
    </NotAuthorized>
</AuthorizeView>

<AuthorizeView Roles="admin, superuser, owner">
    <p>You can only see this if you're an admin or superuser.</p>
    Hello, @context.User.Identity?.Name! <br />
</AuthorizeView>
<AuthorizeView Roles="dog_cc_ma">
    <p>You can only see this if you have a dog insurance.</p>
    Hello, @context.User.Identity?.Name! <br />
</AuthorizeView>
<AuthorizeView Roles="travel_cc_ma">
    <p>You can only see this if you have a travel insurance.</p>
    Hello, @context.User.Identity?.Name! <br />
</AuthorizeView>

它不起作用,谁知道为什么......?

claim.loop

最好的,亚历克斯

解决方案

添加 2 类 和 1 extra to Program.cs,比它有效。

RemoteUserAccount.cs

public class CustomUserAccount : RemoteUserAccount
    {
        [JsonPropertyName("roles")]
        public string[] Roles { get; set; } = Array.Empty<string>();

    }

CustomAccountFactory.cs

public class CustomAccountFactory
: AccountClaimsPrincipalFactory<CustomUserAccount>
{
    private readonly ILogger<CustomAccountFactory> logger;
    private readonly IServiceProvider serviceProvider;

    public CustomAccountFactory(IAccessTokenProviderAccessor accessor,
        IServiceProvider serviceProvider,
        ILogger<CustomAccountFactory> logger)
        : base(accessor)
    {
        this.serviceProvider = serviceProvider;
        this.logger = logger;
    }
    public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
        CustomUserAccount account,
        RemoteAuthenticationUserOptions options)
    {
        var initialUser = await base.CreateUserAsync(account, options);

        if (initialUser.Identity.IsAuthenticated)
        {
            var userIdentity = (ClaimsIdentity)initialUser.Identity;

            foreach (var role in account.Roles)
            {
                userIdentity.AddClaim(new Claim("appRole", role));
            }
        }

        return initialUser;
    }
}

Program.cs

builder.Services.AddMsalAuthentication <RemoteAuthenticationState,
                 CustomUserAccount > (options =>
            {
                builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
                options.ProviderOptions.DefaultAccessTokenScopes
                    .Add("https://graph.microsoft.com/User.Read");
                options.ProviderOptions.LoginMode = "redirect";
                options.UserOptions.RoleClaim = "appRole";
            }).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
             CustomAccountFactory>();