个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
29
4
将 Authorize 属性与我在 Startup.cs 中定义的策略一起使用时遇到问题。我编辑了我的 Controller 以手动检查声明。我可以看到包含具有正确范围的范围声明的声明,但是当我手动检查该声明/范围时,它返回为 false。我使用 Azure AD B2C 作为我的身份服务器并成功获得了一个经过验证的 token 。
这是我的 Startup.cs 中的代码:
services.AddAuthorization(options =>
{
var policyRead = new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.RequireClaim("http://schemas.microsoft.com/identity/claims/scope", "vendor.read")
.Build();
options.AddPolicy("VendorRead", policyRead);
var policyWrite = new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.RequireClaim("http://schemas.microsoft.com/identity/claims/scope", "vendor.write")
.Build();
options.AddPolicy("VendorWrite", policyWrite);
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(jwtOptions =>
{
jwtOptions.Authority = $"{Configuration["AzureAdB2C:Instance"]}/{Configuration["AzureAdB2C:TenantId"]}/{Configuration["AzureAdB2C:SignUpSignInPolicyId"]}/v2.0/";
jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
jwtOptions.RequireHttpsMetadata = true;
jwtOptions.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = $"{Configuration["AzureAdB2C:Instance"]}/{Configuration["AzureAdB2C:TenantId"]}/v2.0/",
ValidAudience = Configuration["AzureAdB2C:ClientId"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["AzureAdB2C:ClientSecret"]))
};
jwtOptions.Events = new JwtBearerEvents
{
OnAuthenticationFailed = AuthenticationFailed,
OnTokenValidated = TokenValidated
};
});
// GET: api/Vendor/5
[HttpGet("{id}")]
public async Task<IActionResult> Get(VendorRequest request)
{
var hasClaim1 = User.HasClaim(c => c.Type == "vendor.read");
var hasClaim2 = User.HasClaim(c => c.Type == "scope");
var hasClaim3 = User.HasClaim(c => c.Type == "scp");
var hasClaim4 = User.HasClaim(c => c.Type == "http://schemas.microsoft.com/identity/claims/scope");
var hasClaim5 = User.HasClaim("http://schemas.microsoft.com/identity/claims/scope", "vendor.read");
var hasClaim7= User.HasClaim("http://schemas.microsoft.com/identity/claims/scope", "vendor.write");
var allowed = await _authorization.AuthorizeAsync(User, "VendorRead");
if (!allowed.Succeeded)
{
return StatusCode(StatusCodes.Status403Forbidden);
}
最佳答案
范围声明是一个以空格分隔的列表,因此 RequireClaim() helper 在这种情况下不起作用,但更通用的 RequireAssertion() 将要。
范围声明示例
"scp": "demo.read demo.write user_impersonation Test-Value"
RequireAssertion()
services.AddAuthorization(options =>
{
options.AddPolicy("ScopeCheck", policyBuilder =>
policyBuilder.RequireAssertion(async handler =>
{
var scopeClaim = handler.User.FindFirst("http://schemas.microsoft.com/identity/claims/scope");
var scopes = scopeClaim?.Value.Split(' ');
var hasScope = scopes?.Where(scope => scope == "demo.write").Any() ?? false;
return hasScope;
}));
});
Controller
[Authorize("ScopeCheck")]
public class SecureController : Controller
{
[HttpGet]
public IActionResult Test()
{
return Ok(new { Message = "You are allowed" });
}
}
Access Token Scope (RFC 6749 section-3.3)
The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by theauthorization server. If the value contains multiple space-delimitedstrings, their order does not matter, and each string adds anadditional access range to the requested scope
关于c# - User.HasClaim 未成功读取 .NET Core 2.0 Web Api 中的声明属性,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50007749/
29
4
0
将 Authorize 属性与我在 Startup.cs 中定义的策略一起使用时遇到问题。我编辑了我的 Controller 以手动检查声明。我可以看到包含具有正确范围的范围声明的声明,但是当我手动检
我是一名优秀的程序员,十分优秀!