我正在使用最新的.NET8和Blazor应用程序作为服务器端渲染.我正在try 将角色验证添加到应用程序中.我已经让我的Azure Web应用程序以及应用程序注册和身份验证工作了.我添加了角色,并将它们分配给了entra id中的用户.当我单步执行我的代码时,我可以看到roles
声明,其中添加了我的自定义角色.当我试着使用<AuthorizeView Roles="Spec.Read"><p>you have spec.read role</p>
时,它从来没有显示出来.以下是我到目前为止得到的信息:
myComponent.razor个
<AuthorizeView>
<p>Hello, @context.User.Identity?.Name</p> @*shows my e-mail as expected*@
<p>Roles: @roles</p> @*shows the roles that is populated in the code section as expected. this includes "Spec.Read" *@
<AuthorizeView Roles="Spec.Read" Context="childContext">
<p>you are a spec reader</p> @* this never shows up *@
</AuthorizeView>
</AuthorizeView>
...
@code{
[CascadingParameter]
Task<AuthenticationState> authenticationState{ get; set; }
string roles = "";
protected override async Task OnInitializedAsync()
{
SpecList = await CosmosDataSource.GetSpecList();
if(authenticationState is not null)
{
var userIdentity = (ClaimsIdentity)(await authenticationState).User?.Identity;
var claims = userIdentity.Claims;
roles = claims.Where(x => x.Type == "roles").Select(x => x.Value).Aggregate((prev, next) => $"{prev}; {next}");
}
await base.OnInitializedAsync();
}
}
以下是我用来添加ME ID(Microsoft Entra ID)的Program.cs代码片段,这似乎起作用了. program.cs个
...
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).
AddMicrosoftIdentityWebApp(builder.Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
// Add services to the container.
builder.Services.AddRazorPages().AddMvcOptions(options=>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
...
那么,我如何使用我的blazor组件的<AuthorizationView Roles=...
部分中使用的角色声明呢?
另外,我可能做的Auth是完全错误的.这是我第一次实现auth,我正在try 遵循MS文档,但整个文档、框架和Net版本都有一点不一致.
picture showing the roles working in the blazor个
debugger showing the roles claim
编辑:
我已经更新了我的程序cs add authentication,使其成为下面的代码片段:
builder.Services.AddAuthentication("MicrosoftOidc")
.AddOpenIdConnect("MicrosoftOidc", oidcOptions =>
{
oidcOptions.Scope.Add(OpenIdConnectScope.OfflineAccess);
oidcOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
oidcOptions.Authority = builder.Configuration["AzureAd:Instance"];
oidcOptions.ClientId = builder.Configuration["AzureAd:ClientId"];
oidcOptions.ClientSecret = builder.Configuration["AzureAd:ClientSecret"];
oidcOptions.ResponseType = OpenIdConnectResponseType.Code;
oidcOptions.MapInboundClaims = false;
oidcOptions.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Name;
oidcOptions.TokenValidationParameters.RoleClaimType = "role";
oidcOptions.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator(
oidcOptions.Authority,
oidcOptions.Backchannel).Validate;
})
.AddMicrosoftIdentityWebApp(builder.Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
然而,我还是得到了同样的结果.我也try 过将RoleClaimType更改为"Roles",但没有更改.JsonWebTokenHandler.DefaultInboundClaimTypeMap
同时定义了角色和角色,但两者都指向相同的角色架构