我创建了一个独立的Blazor WASM。我正在使用身份验证和授权服务。角色是这样配置的(摘自Azure中的应用程序清单):
"..."=故意删除
"id": "b143bedd-b16c-4b94-...",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": null,
"appId": "ec351a0b-19d7-...",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Handledare kan lägga till och ta bort sessioner i kurser",
"displayName": "Handledare",
"id": "583f0ed6-1f22-4712-8d23-d438f2411cf5",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Sessions.CRUD"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Samordnare kan lägga till och ta bort kursdeltagare",
"displayName": "Samordnare",
"id": "3d7c144a-f87f-4806-a8c5-0ba9cca13c9f",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "User.EnrolUnenrol"
}
在我的Program.cs中,我已经这样配置了认证/授权:
builder.Services
.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes
.Add("https://graph.microsoft.com/User.Read");
options.ProviderOptions.LoginMode = "redirect";
options.UserOptions.RoleClaim = "roles";
});
builder.Services
.AddAuthorizationCore(options =>
{
options.AddPolicy("Samordnare", policy =>
policy.RequireRole("User.EnrolUnenrol"));
options.AddPolicy("Handledare", policy =>
policy.RequireRole("Sessions.CRUD"));
});
在NavMenu。我已经添加了如下的策略检查:
<MudNavMenu>
<MudNavLink Href="" Match="NavLinkMatch.All" Icon="@Icons.Material.Filled.Home">Start</MudNavLink>
<AuthorizeView>
<Authorized>
<MudNavLink Href="/enrolme" Match="NavLinkMatch.Prefix" Icon="@Icons.Material.Filled.Person">Mina kursanmälningar</MudNavLink>
</Authorized>
</AuthorizeView>
<AuthorizeView Policy="Samordnare">
<Authorized>
<MudDivider Class="my-2" />
<MudText Typo="Typo.body2" Class="px-4 mud-text-secondary">Samordnare</MudText>
<MudDivider Class="my-2" />
<MudNavLink Href="/manageenrolments" Match="NavLinkMatch.Prefix" Icon="@Icons.Material.Filled.People">Hantera andras kursanmälningar</MudNavLink>
</Authorized>
</AuthorizeView>
当我启动应用程序并登录时,我得到以下验证错误:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (User.EnrolUnenrol)
(我已将自己分配给AAD中的Samordnare(user . registrunenrol)角色)
如果我按下F12键,在Edge中查看会话信息,我可以看到角色被获取了。
{
"aud": "...",
"iss": "https://login.microsoftonline.com/.../v2.0",
"iat": ...,
"nbf": ...,
"exp": ...,
"groups": [
...
],
"name": "Peter Rundqvist",
"nonce": "...",
"oid": "...",
"preferred_username": "peter.rundqvist@...",
"rh": "...",
"roles": [
"User.EnrolUnenrol",
"Sessions.CRUD"
],
"sub": "...",
"tid": "...",
"uti": "...",
"ver": "2.0",
"wids": [
"...",
"..."
]
}
因此,据我所知,声明被发送到浏览器。但是,为什么我的政策不能得到这个?options.AddPolicy("Samordnare", policy => policy.RequireRole("User.EnrolUnenrol"));不应该映射"用户"吗?";Samordnare"使<AuthorizeView Policy="Samordnare">?
我在这里做错了什么?
reagards,彼得。
我可能只是缺少策略上的. requireauthenticateduser()。
为简单起见,我将其设置为回退策略,但您可以将其设置为任何策略。
services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().Build();
}
如果这不起作用——意味着你的用户仍然能够访问所有的页面——我认为你需要阅读WebAssembly独立MSAL上的微软文档,从那里你将能够在你的应用程序中追踪步骤,并找出你是否错过了更重要的功能。