我们有一个使用社交网络认证的Azure移动应用程序。尝试使用自定义令牌处理程序将用户角色添加为声明。
这在本地主机上运行时都有效——令牌添加到令牌处理程序中,并且在调用AuthorizationAttribute OnAuthorization方法时可用。带有指定角色的Authorize属性按预期工作。
但是当运行Azure时,声明被添加,但是当调用OnAuthorization方法时,自定义角色声明就消失了。
代码如下:
启动/Config类
public class OwinStartup
{
public void Configuration(IAppBuilder app)
{
var config = GlobalConfiguration.Configuration;
new MobileAppConfiguration()
.AddPushNotifications()
.ApplyTo(config);
MobileAppSettingsDictionary settings = config.GetMobileAppSettingsProvider().
GetMobileAppSettings();
app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()
{
SigningKey = ConfigurationManager.AppSettings["authSigningKey"],
ValidAudiences = new[] { ConfigurationManager.AppSettings["authAudience"] },
ValidIssuers = new[] { ConfigurationManager.AppSettings["authIssuer"] },
TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
});
//Authenticate stage handler in OWIN Pipeline
app.Use((context, next) =>
{
return next.Invoke();
});
app.UseStageMarker(PipelineStage.Authenticate);
}
添加角色声明的令牌处理器
public class AppServiceTokenHandlerWithCustomClaims : AppServiceTokenHandler
{
public AppServiceTokenHandlerWithCustomClaims(HttpConfiguration config)
: base(config)
{
}
public override bool TryValidateLoginToken(
string token,
string signingKey,
IEnumerable<string> validAudiences,
IEnumerable<string> validIssuers,
out ClaimsPrincipal claimsPrincipal)
{
var validated = base.TryValidateLoginToken(token, signingKey, validAudiences, validIssuers, out claimsPrincipal);
if (validated)
{
string sid = claimsPrincipal.FindFirst(ClaimTypes.NameIdentifier).Value;
var roleProvider = UnityConfig.Container.Resolve<IRoleProvider>("RoleProvider");
var roles = roleProvider.GetUserRolesBySid(sid);
foreach (var role in roles)
{
((ClaimsIdentity)claimsPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, role));
}
}
return validated;
}
}
角色声明来自身份声明集合
的角色声明示例{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: admin}
授权Web Api控制器的属性
[Authorize(Roles = "admin")]
对具有指定一个或多个角色的授权属性的端点的每个调用都失败(401)
不确定在Azure中运行时,声明是否被剥离或未在Identity中持久化是怎么回事。
谢谢迈克尔。
我在书中有一章是关于这个的- https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/#using-third-party-tokens
注意带有附加声明的自定义身份验证。您需要使用原始令牌调用自定义API,检查令牌的有效性,然后生成具有所需声明的新令牌(zumo令牌)。然后,您可以将这些声明用于所需的任何内容。
根据这篇博文,你的一些选择可能是错误的。AppSettings仅用于本地调试,在Azure中不起作用。
试试这个:
public void Configuration(IAppBuilder app)
{
var config = GlobalConfiguration.Configuration;
new MobileAppConfiguration()
.AddPushNotifications()
.ApplyTo(config);
MobileAppSettingsDictionary settings = config
.GetMobileAppSettingsProvider()
.GetMobileAppSettings();
// Local Debugging
if (string.IsNullOrEmpty(settings.HostName))
{
app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()
{
SigningKey = ConfigurationManager.AppSettings["authSigningKey"],
ValidAudiences = new[] { ConfigurationManager.AppSettings["authAudience"] },
ValidIssuers = new[] { ConfigurationManager.AppSettings["authIssuer"] },
TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
});
}
// Azure
else
{
var signingKey = GetSigningKey();
string hostName = GetHostName(settings);
app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
{
SigningKey = signingKey,
ValidAudiences = new[] { hostName },
ValidIssuers = new[] { hostName },
TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
});
}
//Authenticate stage handler in OWIN Pipeline
app.Use((context, next) =>
{
return next.Invoke();
});
app.UseStageMarker(PipelineStage.Authenticate);
}
private static string GetSigningKey()
{
// Check for the App Service Auth environment variable WEBSITE_AUTH_SIGNING_KEY,
// which holds the signing key on the server. If it's not there, check for a SigningKey
// app setting, which can be used for local debugging.
string key = Environment.GetEnvironmentVariable("WEBSITE_AUTH_SIGNING_KEY");
if (string.IsNullOrWhiteSpace(key))
{
key = ConfigurationManager.AppSettings["SigningKey"];
}
return key;
}
private static string GetHostName(MobileAppSettingsDictionary settings)
{
return string.Format("https://{0}/", settings.HostName);
}