ASP.NET 基于核心策略的身份验证不起作用

我必须在本地数据库中管理用户的角色，而不是在 Azure AD 中。但是，我还需要对控制器进行基于策略的授权，因为我们同时拥有管理员和客户区域。

为了解决这个问题，我添加了一个授权过滤器，该过滤器从Session或数据库加载用户的角色，向Principal添加一个Identity，然后继续前进。此Identity添加了适当的RoleClaim。

在离开授权过滤器之前，IsInRole按预期返回true，并且有两个Identities。

我的授权过滤器如下所示：

public class MyAuthFilter : IAsyncAuthorizationFilter
{
private readonly IUserService userService;
public MyAuthFilter(IUserService userService)
{
this.userService = userService;
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
if (user.Identity.IsAuthenticated)
{
AuthUserViewModel authUserViewModel;
var sessionViewModelJson = context.HttpContext.Session.GetString(user.AzureObjectId());
if (string.IsNullOrEmpty(sessionViewModelJson))
{
authUserViewModel = await ConstructSessionViewModel(context);
}
else
{
authUserViewModel = JsonConvert.DeserializeObject<AuthUserViewModel>(sessionViewModelJson);
}
user.AddIdentity(authUserViewModel?.Role);
}
}
private async Task<AuthUserViewModel> ConstructSessionViewModel(AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
var parsedObjectId = Guid.Parse(user.AzureObjectId());
var findUserResult = await userService.FindByAzureObjectId(new FindByAzureObjectIdRequest
{
AzureObjectId = parsedObjectId
});
if (findUserResult.Success)
{
var userModel = findUserResult.User;
var viewModel = new AuthUserViewModel
{
AzureObjectId = parsedObjectId,
UserId = userModel.Id,
SchoolId = userModel.SchoolId.GetValueOrDefault(),
Name = userModel.Name,
Email = userModel.Email,
PhoneNumber = userModel.PhoneNumber,
Role = userModel.Role
};
context.HttpContext.Session.SetString(user.AzureObjectId(), JsonConvert.SerializeObject(viewModel));
return viewModel;
}
return null;
}
}

该AddIdentity扩展方法如下所示：

public static void AddIdentity(this ClaimsPrincipal principal, string role)
{
if (string.IsNullOrWhiteSpace(role) || principal.IsInRole(role))
{
return;
}
switch (role)
{
case Roles.School:
principal.AddIdentity(new SchoolIdentity());
break;
case Roles.Admin:
principal.AddIdentity(new AdminIdentity());
break;
}
}

在这种情况下，添加SchoolIdentity，如下所示：

public class SchoolIdentity : ClaimsIdentity
{
public SchoolIdentity()
{
AddClaim(new SchoolPortalClaim());
}
}

最后，SchoolPortalClaim如下所示：

public class SchoolPortalClaim : Claim
{
public SchoolPortalClaim() : base(ClaimTypes.Role, "School")
{
}
public SchoolPortalClaim(BinaryReader reader) : base(reader)
{
}
public SchoolPortalClaim(BinaryReader reader, ClaimsIdentity subject) : base(reader, subject)
{
}
protected SchoolPortalClaim(Claim other) : base(other)
{
}
protected SchoolPortalClaim(Claim other, ClaimsIdentity subject) : base(other, subject)
{
}
public SchoolPortalClaim(string type, string value) : base(type, value)
{
}
public SchoolPortalClaim(string type, string value, string valueType) : base(type, value, valueType)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer) : base(type, value, valueType, issuer)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer, string originalIssuer) : base(type, value, valueType, issuer, originalIssuer)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer, string originalIssuer, ClaimsIdentity subject) : base(type, value, valueType, issuer, originalIssuer, subject)
{
}
}

当策略执行时，问题就出现了：

services.AddAuthorization(options =>
{
options.AddPolicy(Policies.School,
policy => policy.RequireAssertion(
context => context.User.IsInRole(Roles.School)));
});

context.User没有授权过滤器添加的Identity。

我如何让它向下游移动？

有问题的Controller如下所示：

[Area(Areas.School)]
[Authorize(Policy = Policies.School)]
public class HomeController : BaseController
{
public HomeController(IUserService userService) :
base(userService)
{
}
public IActionResult Index()
{
return RedirectToAction("Index", "Presentation", new {Area = "School"});
}
}