Asp.net core 获得访问权;“雇员ID”;或;职位名称;使用AzureAd通过Asp.Net Core 2.2进行索赔
我想扩大我从AzureAd得到的索赔。我知道还有更多,但我不知道从哪里开始。文件到处都是 我基本上有一个ASP.Net Core 2.2 web应用程序,配置如下:Asp.net core 获得访问权;“雇员ID”;或;职位名称;使用AzureAd通过Asp.Net Core 2.2进行索赔,asp.net-core,azure-active-directory,claims-based-identity,claims,Asp.net Core,Azure Active Directory,Claims Based Identity,Claims,我想扩大我从AzureAd得到的索赔。我知道还有更多,但我不知道从哪里开始。文件到处都是 我基本上有一个ASP.Net Core 2.2 web应用程序,配置如下: services.Configure<CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
我已经用各种选项修改了清单文件,但似乎没有任何效果。我在谷歌上搜索了我的*ss,但所有的文档都在上面,不一致或过时
是否有人提供了一个工作示例或教程,或者有人可以告诉我如何使用在图表中找到的特定类型来丰富我的声明集
感谢从Azure AD访问
jobTitle
索赔,您需要获得accesstoken才能通过Graph API获取jobTitle
详细说明步骤
应用程序注册中提供ClientSecret
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.ResponseType = "id_token code";
options.ClientSecret = "ClientSecret in Azure";
options.Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = async context => {
// Acquire a Token for the Graph API and cache it using ADAL. In the TodoListController, we'll use the cache to acquire a token for the Todo List API
string userObjectId = (context.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
var authContext = new AuthenticationContext(context.Options.Authority);
var credential = new ClientCredential(context.Options.ClientId, context.Options.ClientSecret);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential, "https://graph.microsoft.com");
// Notify the OIDC middleware that we already took care of code redemption.
context.HandleCodeRedemption(authResult.AccessToken, context.ProtocolMessage.IdToken);
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
var result = await response.Content.ReadAsStringAsync();
// Parse your Result to an Array
var jArray = JObject.Parse(result);
// Index the Array and select your jobTitle
var obj = jArray["jobTitle"].Value<string>();
var identity = context.Principal.Identity as ClaimsIdentity;
identity.AddClaim(new Claim("jobTitle", obj));
await Task.Yield();
},
};
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
public void配置服务(IServiceCollection服务)
{
配置(选项=>
{
//此lambda确定给定请求是否需要非必要cookie的用户同意。
options.checkApprovered=context=>true;
options.MinimumSameSitePolicy=SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options=>Configuration.Bind(“AzureAd”,options));
配置(AzureADDefaults.OpenIdScheme,选项=>
{
options.ResponseType=“id\u令牌代码”;
options.ClientSecret=“Azure中的ClientSecret”;
options.Events=新的OpenIdConnectEvents
{
OnAuthorizationCodeReceived=异步上下文=>{
//获取Graph API的令牌并使用ADAL缓存它。在TodoListController中,我们将使用缓存为Todo List API获取令牌
字符串userObjectId=(context.Principal.FindFirst(“http://schemas.microsoft.com/identity/claims/objectidentifier)价值;
var authContext=新的AuthenticationContext(context.Options.Authority);
var-credential=new-ClientCredential(context.Options.ClientId,context.Options.ClientSecret);
var authResult=等待authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
新Uri(context.TokenEndpointRequest.RedirectUri、UriKind.RelativeOrAbsolute)、凭据,“https://graph.microsoft.com");
//通知OIDC中间件我们已经处理了代码赎回。
HandleCodeRedemption(authResult.AccessToken,context.ProtocolMessage.IdToken);
HttpClient=新的HttpClient();
HttpRequestMessage请求=新建HttpRequestMessage(HttpMethod.Get)https://graph.microsoft.com/v1.0/me");
request.Headers.Authorization=新的AuthenticationHeaderValue(“承载者”,authResult.AccessToken);
HttpResponseMessage response=等待客户端.SendAsync(请求);
var result=await response.Content.ReadAsStringAsync();
//将结果解析为数组
var jArray=JObject.Parse(结果);
//为数组编制索引并选择您的职务
var obj=jArray[“jobTitle”].Value();
var identity=context.Principal.identity作为索赔实体;
identity.AddClaim(新索赔(“职务头衔”,obj));
等待任务;
},
};
});
services.AddMvc(选项=>
{
var policy=new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()文件
.Build();
options.Filters.Add(新的授权过滤器(策略));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
要从Azure AD访问
jobTitle
到索赔,您需要获取accesstoken以通过Graph API获取jobTitle
详细说明步骤
应用程序注册中提供ClientSecret
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.ResponseType = "id_token code";
options.ClientSecret = "ClientSecret in Azure";
options.Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = async context => {
// Acquire a Token for the Graph API and cache it using ADAL. In the TodoListController, we'll use the cache to acquire a token for the Todo List API
string userObjectId = (context.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
var authContext = new AuthenticationContext(context.Options.Authority);
var credential = new ClientCredential(context.Options.ClientId, context.Options.ClientSecret);
var authResult = await authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointRequest.Code,
new Uri(context.TokenEndpointRequest.RedirectUri, UriKind.RelativeOrAbsolute), credential, "https://graph.microsoft.com");
// Notify the OIDC middleware that we already took care of code redemption.
context.HandleCodeRedemption(authResult.AccessToken, context.ProtocolMessage.IdToken);
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
var result = await response.Content.ReadAsStringAsync();
// Parse your Result to an Array
var jArray = JObject.Parse(result);
// Index the Array and select your jobTitle
var obj = jArray["jobTitle"].Value<string>();
var identity = context.Principal.Identity as ClaimsIdentity;
identity.AddClaim(new Claim("jobTitle", obj));
await Task.Yield();
},
};
});
services.AddMvc(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}
public void配置服务(IServiceCollection服务)
{
配置(选项=>
{
//此lambda确定给定请求是否需要非必要cookie的用户同意。
options.checkApprovered=context=>true;
options.MinimumSameSitePolicy=SameSiteMode.None;
});
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options=>Configuration.Bind(“AzureAd”,options));
配置(AzureADDefaults.OpenIdScheme,选项=>
{
options.ResponseType=“id\u令牌代码”;
options.ClientSecret=“Azure中的ClientSecret”;
options.Events=新的OpenIdConnectEvents
{
OnAuthorizationCodeReceived=异步上下文=>{
//获取Graph API的令牌并使用ADAL缓存它。在TodoListController中,我们将使用缓存为Todo List API获取令牌
字符串userObjectId=(context.Principal.FindFirst(“http://schemas.microsoft.com/identity/claims/objectidentifier)价值;
var authContext=新的AuthenticationContext(context.Options.Authority);
var-credential=new-ClientCredential(context.Options.ClientId,context.Options.ClientSecret);
var authResult=等待authContext.AcquireTokenByAuthorizationCodeAsync(context.TokenEndpointReq