使用 Azure AD 进行授权的 ASP.NET MVC
问题描述 投票:0回答:1
我试图了解使用 Azure AD(Entra ID)进行身份验证和授权的授权过滤器。我在 Azure 中创建了三个角色,并将用户分配给这些角色。该应用程序成功使用 Azure 进行身份验证,但授权不起作用。
当我访问 https://localhost:sslport/ 和 https://localhost:sslport/Dashboard 时,它允许所有三个用户在再次进行 MS 身份验证后进行访问。但如果我转到 https://localhost:sslport/Dashboard/Settings、https://localhost:sslport/Dashboard/Administrator 或 https://localhost:sslport/Dashboard/Poweruser 我会被拒绝访问。
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "qualified.domain.name",
"TenantId": "d1d5fe91-a895-45d7-964a-8ae51ff19d03",
"ClientId": "ac748c0f-f4f1-4351-b317-977d2edb81e1",
"CallbackPath": "/Signin-oidc",
"SignoutcallbackUrl": "/Signout-oidc"
},
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace AzureADRoles
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Administrator"));
options.AddPolicy("RequirePoweruserRole", policy => policy.RequireRole("Poweruser"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// Set RoleClaimType to "groups" to use Azure AD groups as roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages()
.AddMicrosoftIdentityUI();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapRazorPages();
});
}
}
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Linq;
namespace AzureADRoles.Controllers
{
//[Authorize(Roles = "Administrator,Poweruser,User")]
public class DashboardController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Policy = "RequireUserRole")]
public IActionResult Settings()
{
return View();
}
[Authorize(Policy = "RequireAdminRole")]
public IActionResult Administrator()
{
return View();
}
[Authorize(Policy = "RequirePoweruserRole")]
public IActionResult Poweruser()
{
return View();
}
}
}
1个回答
0
投票
投票
我相信您正在尝试实现基于角色的访问控制(RBAC),我们这里有一个示例。
我们首先需要拥有Azure AD角色并分配给不同的用户,然后在应用程序中定义和使用策略。
var builder = WebApplication.CreateBuilder(args);
// This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration);
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme,options =>
{
// The claim in the Jwt token where App roles are available.
options.TokenValidationParameters.RoleClaimType = "roles";
});
// Adding authorization policies that enforce authorization using Azure AD roles.
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("mypolicy", policy => policy.RequireRole("Tiny.AccessEndpoint"));
});
builder.Services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
创建 Azure AD 角色并将用户或组分配给该角色。
最新问题
- 雪花 - 替换撇号
- Golang的socks5代理,流量限制转发到下一个socks5代理
- 无法使用snscrape
- 在雪花中,你可以从变量传递类似任何列表吗
- Apache Arrow 与 Apache Spark - UnsupportedOperationException:sun.misc.Unsafe 或 java.nio.DirectByteBuffer 不可用
- 正确使用AsyncNotifierProvider、AsyncNotifier - Riverpod
- hx-post成功后调用htmx:after-on-load
- 切片器未锁定,但Excel工作表受保护后,切片器仍然无法工作。 ,
- NextJS 13 从布局访问子属性
- 如何获取每个 Spacy NER 实体的描述?
- Azure 存储队列 JavaScript TTL
- GCP - HTTP(S) 负载均衡器 L7 后端存储桶问题
- 查询雪花中的json数组
- 在 laravel 中使用 allowedFilter() 来建立关系
- 检索 2013 年 10 月重大更改后的 Facebook 点赞
- Wordpress 中的自定义重写规则
- 通过 JSON API 插件显示热门帖子
- 如何从具有多对一关系的 Doctrine 模型填充 Zend 表单?
- 在 Laravel 的对象响应中插入额外的数据
- CakePHP:获取当前输入的标签,同时在视图中输出它
© www.soinside.com 2019 - 2024. All rights reserved.