我正在使用Azure AD身份验证进行身份验证。我使用CustomAccountFactory将自定义声明添加到我的身份中。以下是program.cs文件的外观:
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://graph.microsoft.com/openid");
options.UserOptions.RoleClaim = "appRole";
}).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
以下是CustomUserFactory的样子:
public class CustomUserFactory
: AccountClaimsPrincipalFactory<CustomUserAccount>
{
private readonly ILogger<CustomUserFactory> logger;
private readonly IHttpClientFactory clientFactory;
public IUserService _userService { get; set; }
public CustomUserFactory(IAccessTokenProviderAccessor accessor,IUserService userService,
ILogger<CustomUserFactory> logger)
: base(accessor)
{
this.logger = logger;
_userService = userService;
}
public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
CustomUserAccount account,
RemoteAuthenticationUserOptions options)
{
var initialUser = await base.CreateUserAsync(account, options);
if (initialUser.Identity.IsAuthenticated)
{
var userIdentity = (ClaimsIdentity)initialUser.Identity;
if (_userService != null)
{
var roles = await _userService.GetUserRolesByUserName("UsernameTest").ConfigureAwait(true);
Console.WriteLine("roles count before: " + roles?.Count);
Console.WriteLine("claims count before: " + userIdentity.Claims.Count());
foreach (var role in roles)
{
// userIdentity.AddClaim(new Claim(ClaimTypes.Role, role.RsecGrpId));
userIdentity.AddClaim(new Claim("appRole", role.RsecGrpId));
}
Console.WriteLine("roles count after: " + roles?.Count);
Console.WriteLine("claims count after: " + userIdentity.Claims.Count());
}
Console.WriteLine("printing claims");
foreach (var item in userIdentity.Claims)
{
Console.WriteLine(item?.Value);
Console.WriteLine(item?.Type);
}
}
return initialUser;
}
}
}
现在角色被添加到这里,然而当我像在我的剃刀视图中一样使用它时
@attribute [Authorize(Roles = "ADMIN")]
它返回False。角色被添加到声明中,作为key-value对,如";appRole":"ADMIN";。然而,授权上的角色没有设置?此外,它在任何视图的上下文中都会显示出来。
我需要做些什么来确保我得到这些角色。
问题可能是,在角色授权中,您使用的是角色名称,而在构造函数中,您则使用userIdentity。AddClaim(new Claim("appRole"role.RsecGrpId(;。如果没有看到您的CustomUserAccount,我不确定。
尝试更改:userIdentity.AddClaim(新Claim("appRole",role.RsecGrpId((;
至
userIdentity.AddClaim(new Claim("appRole",角色((;