我试图了解使用 Azure AD(Entra ID)进行身份验证和授权的授权过滤器。我在 Azure 中创建了三个角色,并将用户分配给这些角色。该应用程序成功使用 Azure 进行身份验证,但授权不起作用。
当我访问 https://localhost:sslport/ 和 https://localhost:sslport/Dashboard 时,它允许所有三个用户在再次进行 MS 身份验证后进行访问。但如果我转到 https://localhost:sslport/Dashboard/Settings、https://localhost:sslport/Dashboard/Administrator 或 https://localhost:sslport/Dashboard/Poweruser 我会被拒绝访问。
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "qualified.domain.name",
"TenantId": "d1d5fe91-a895-45d7-964a-8ae51ff19d03",
"ClientId": "ac748c0f-f4f1-4351-b317-977d2edb81e1",
"CallbackPath": "/Signin-oidc",
"SignoutcallbackUrl": "/Signout-oidc"
},
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace AzureADRoles
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Administrator"));
options.AddPolicy("RequirePoweruserRole", policy => policy.RequireRole("Poweruser"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
// Set RoleClaimType to "groups" to use Azure AD groups as roles
options.TokenValidationParameters.RoleClaimType = "groups";
});
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages()
.AddMicrosoftIdentityUI();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapRazorPages();
});
}
}
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Linq;
namespace AzureADRoles.Controllers
{
//[Authorize(Roles = "Administrator,Poweruser,User")]
public class DashboardController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Policy = "RequireUserRole")]
public IActionResult Settings()
{
return View();
}
[Authorize(Policy = "RequireAdminRole")]
public IActionResult Administrator()
{
return View();
}
[Authorize(Policy = "RequirePoweruserRole")]
public IActionResult Poweruser()
{
return View();
}
}
}
我相信您正在尝试实现基于角色的访问控制(RBAC),我们这里有一个示例。
我们首先需要拥有Azure AD角色并分配给不同的用户,然后在应用程序中定义和使用策略。
var builder = WebApplication.CreateBuilder(args);
// This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration);
builder.Services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme,options =>
{
// The claim in the Jwt token where App roles are available.
options.TokenValidationParameters.RoleClaimType = "roles";
});
// Adding authorization policies that enforce authorization using Azure AD roles.
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("mypolicy", policy => policy.RequireRole("Tiny.AccessEndpoint"));
});
builder.Services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
创建 Azure AD 角色并将用户或组分配给该角色。