Asp.net core 试图通过Azure AD B2C进行身份验证,并通过AAD的组进行授权
因此,我遵循以下示例: 托管Blazor Web组件和B2C: Azure Active Directory组和角色: 我首先实现了托管的BlazorWeb组装,并且工作得很好。开始实施组和角色部分,并开始出现问题 正如示例中所示,一切都是逐字逐句的,但不确定我是否在客户端中正确地合并或设置了Program.cs。尝试呼叫时,我得到一个“Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] 授权失败。” 不幸的是,我的断点都不起作用,所以我想我会去看看有没有人有什么建议。 这是从Blazor的脚手架上建造的。 这是我的客户端应用程序设置中的my program.csAsp.net core 试图通过Azure AD B2C进行身份验证,并通过AAD的组进行授权,asp.net-core,azure-active-directory,blazor,azure-ad-b2c,azure-ad-graph-api,Asp.net Core,Azure Active Directory,Blazor,Azure Ad B2c,Azure Ad Graph Api,因此,我遵循以下示例: 托管Blazor Web组件和B2C: Azure Active Directory组和角色: 我首先实现了托管的BlazorWeb组装,并且工作得很好。开始实施组和角色部分,并开始出现问题 正如示例中所示,一切都是逐字逐句的,但不确定我是否在客户端中正确地合并或设置了Program.cs。尝试呼叫时,我得到一个“Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] 授权失败。” 不幸的是,我的
builder.Services.AddHttpClient("<Server Project Name>", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
// Supply HttpClient instances that include access tokens when making requests to the server project
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("KeeperLife.UI.ServerAPI"));
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Full path to >/API.Access ");
});
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
//Originally this was "..." but it seemed to break base config so i added the same as above and that worked but then tested with it commented out and it still worked so left it commented out.
//options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Url to full API PAth>/API.Access");
options.ProviderOptions.AdditionalScopesToConsent.Add(
"https://graph.microsoft.com/Directory.Read.All");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("SiteAdmin", policy =>
policy.RequireClaim("group", "<The Object ID of the group>"));
});
builder.Services.AddHttpClient(“,client=>client.BaseAddress=新Uri(builder.HostenEnvironment.BaseAddress))
.AddHttpMessageHandler();
//向服务器项目发出请求时,提供包含访问令牌的HttpClient实例
builder.Services.addScope(sp=>sp.GetRequiredService().CreateClient(“KeeperLife.UI.ServerAPI”);
builder.Services.AddMsalAuthentication(选项=>
{
builder.Configuration.Bind(“AzureAdB2C”,options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add(“https:///API.Access ");
});
builder.Services.addScope();
builder.Services.AddHttpClient(“GraphAPI”,
client=>client.BaseAddress=新Uri(“https://graph.microsoft.com"))
.AddHttpMessageHandler();
builder.Services.AddMsalAuthentication(选项=>
{
builder.Configuration.Bind(“AzureAd”,
options.ProviderOptions.Authentication);
//最初这是“…”,但它似乎打破了基本配置,所以我添加了与上面相同的配置,这是可行的,但随后用它进行了测试,注释掉了,它仍然有效,所以没有注释掉它。
//options.ProviderOptions.DefaultAccessTokenScopes.Add(“https:///API.Access");
options.ProviderOptions.AdditionalScopesToApprovement.Add(
"https://graph.microsoft.com/Directory.Read.All");
})
.AddAccountClaimsPrincipalFactory();
builder.Services.AddAuthorizationCore(选项=>
{
options.AddPolicy(“SiteAdmin”,policy=>
policy.require(“组”,“组”);
});
“groupMembershipClaims”:“SecurityGroup”投票这将很有帮助。如果我的答案对您有帮助,您可以将其作为答案接受(单击答案旁边的复选标记,将其从灰色变为填充。)。看见这可能对其他社区成员有益。非常感谢。