Azure AD应用程序角色

Question

Azure AD应用程序角色

Mil*_*len 2 asp.net-mvc asp.net-web-api azure-active-directory asp.net-web-api2 openid-connect

我正在尝试通过Azure AD应用程序角色创建受保护的控制器.

这是对Startup.Auth的免除,它基本上由Visual Studio模板提供:

public void ConfigureAuth(IAppBuilder app)
        {
            ApplicationDbContext db = new ApplicationDbContext();

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,

                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                       AuthorizationCodeReceived = (context) => 
                       {
                           var code = context.Code;
                           ClientCredential credential = new ClientCredential(clientId, appKey);
                           string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                           AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                           AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                           code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);

                           return Task.FromResult(0);
                       }
                    }
                });
        }

Run Code Online (Sandbox Code Playgroud)

尝试过具有以下属性的ApiController:

[Authorize(Roles = "Administrators")]
// GET: api/Questions
[ResponseType(typeof(Question))]
public IHttpActionResult GetQuestions()
{
    ....
}

Run Code Online (Sandbox Code Playgroud)

和一个MVC控制器:

  [Authorize(Roles = "Administrators")]
    public ActionResult Index()
    {
     ....    
    }

Run Code Online (Sandbox Code Playgroud)

在Azure Application清单中定义了以下内容:

  "appRoles": [
      { 
        "id": "B4531A9A-0DC8-4015-8CE5-CA1DA1D73754",
        "allowedMemberTypes": ["User"], 
        "description": "Administrators",
        "displayName": "Administrators",
        "value": "Administrators",
        "isEnabled": true,
        "origin": "Application"
      }
  ]

Run Code Online (Sandbox Code Playgroud)

现在执行/ api/Questions的GET请求重定向到https://login.microsoftonline.com并且用户身份验证似乎成功,除了localhost和microsoft online之间存在无限循环请求.见下文:

要求1

要求2

要求3

要求4

我做错了什么？

使用[授权]工作正常.

Answer 1

Mil*_*len 8

事实证明,应该将以下内容添加到Startup.Auth:

TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidateIssuer = true,
        // map the claimsPrincipal's roles to the roles claim
        RoleClaimType = "roles",
    }

Run Code Online (Sandbox Code Playgroud)

它实际上是配置"角色"声明类型,以便将其映射为默认行为.有很好的解释,请访问:https: //samlman.wordpress.com/2015/03/09/using-roles-in-azure-applications/

归档时间：	10 年，4 月前
查看次数：	2510 次
最近记录：	8 年前