所以我遵循了以下示例:托管Blazor Web Assembly AAD B2C:点击此处Azure Active Directory组和角色:此处
我首先实现了Hosted Blazor Web Assembly,并使其运行良好。去执行小组和角色部分,开始出现问题。
一切都是逐字逐句的,就像在例子中一样,但不确定我是否在客户端中合并或设置了Program.cs。当尝试呼叫时;Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]授权失败">
不幸的是,我的断点都不起作用,所以我想我会联系一下,看看是否有人有任何建议。这是为Blazor搭建的脚手架。这是我的客户端应用程序设置中的程序.cs。
builder.Services.AddHttpClient("<Server Project Name>", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
// Supply HttpClient instances that include access tokens when making requests to the server project
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("KeeperLife.UI.ServerAPI"));
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Full path to >/API.Access ");
});
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
//Originally this was "..." but it seemed to break base config so i added the same as above and that worked but then tested with it commented out and it still worked so left it commented out.
//options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Url to full API PAth>/API.Access");
options.ProviderOptions.AdditionalScopesToConsent.Add(
"https://graph.microsoft.com/Directory.Read.All");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("SiteAdmin", policy =>
policy.RequireClaim("group", "<The Object ID of the group>"));
});
不确定为什么断点不起作用。但据我所知,AAD B2C并没有提供开箱即用的RBAC功能。
在Azure AD中,我们可以通过修改";groupMembershipClaims"应用程序清单中的字段:"groupMembershipClaims": "SecurityGroup"。但它在Azure AD B2C中不可用。
有一个变通办法。将新的声明类型"groups"添加到自定义策略中,并调用Microsoft Graph获取用户的组。这里有一个例子供你参考。
投票给这个用户语音帖子会很有帮助。