我有一个.net核心应用程序,它使用OpenIdConnect作为使用自定义授权服务器的默认身份验证方案,>
services.AddAuthentication(authenticationOptions => { authenticationOptions.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie() .AddOpenIdConnect(openIdOptions => { openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; openIdOptions.Authority = issuer; openIdOptions.RequireHttpsMetadata = true; openIdOptions.ClientId = Configuration["Okta:ClientId"]; openIdOptions.CallbackPath = OktaDefaults.CallbackPath; openIdOptions.ClientSecret = Configuration["Okta:ClientSecret"]; openIdOptions.ResponseType = OpenIdConnectResponseType.Token; openIdOptions.GetClaimsFromUserInfoEndpoint = true; openIdOptions.Scope.Add("openid"); openIdOptions.Scope.Add("profile"); openIdOptions.Scope.Add("groups"); openIdOptions.SaveTokens = true; });
我也在使用基于策略的身份验证
services.AddAuthorization(authOptions =>{authOptions.AddPolicy(“QSGAdminPolicy”,policy => policy.RequireRole(Configuration.GetValue(“SecurityRoles:QSGAdminRole”))); authOptions.AddPolicy("QSGReadOnlyPolicy", policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReadOnlyRole"))); authOptions.AddPolicy("QSGReviewerPolicy", policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReviewerRole"), Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:.QSGAdminRole"))); authOptions.AddPolicy("QSGTraderPolicy", policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:QSGAdminRole"))); });
在我的控制器中,我用授权标签和策略标记了API
[Route(“test/authentication”)] [HttpGet] [Authorize(Policy = “QSGReviewerPolicy”)] public ActionResult GetTestAuth() { var claims = HttpContext.User.Claims; return “user allowed”; }
但我遇到错误:
fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HLU51T84D7HA", Request id "0HLU51T84D7HA:00000001": An unhandled exception was thrown by the application. System.ArgumentNullException: Value cannot be null. Parameter name: value at System.Security.Claims.ClaimsIdentity.HasClaim(String type, String value) at System.Security.Claims.ClaimsPrincipal.IsInRole(String role) at Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement. <>c__DisplayClass4_0.<HandleRequirementAsync>b__0(String r) at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate) Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement. HandleRequirementAsync(Au thorizationHandlerContext context, RolesAuthorizationRequirement requirement) at Microsoft.AspNetCore.Authorization.AuthorizationHandler`1.HandleAsync(AuthorizationHandlerContext context) at Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler. HandleAsync(AuthorizationHandlerContext context) at Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.AuthorizeAsync(ClaimsPrincipal user, Object resource, IEnumerable`1 requirements) at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, Object resource) at Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter. OnAuthorizationAsync(AuthorizationFilterContext context) at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync() at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync() at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext] (IHttpApplication`1 application)
似乎在团体索赔中找不到价值。如果我从控制器中删除该策略并仅使用[Authorize],那么它会起作用,并且我会收到带有组声明的令牌如何通过身份验证策略保护我的API?
我有一个.net核心应用程序,它使用OpenIdConnect作为默认的身份验证方案,并使用自定义的授权服务器服务。AddAuthentication(authenticationOptions => {...
请确保您已正确设置appsettings.json
中的角色: