Asp.net core 如何在Blazor Wasm中使用Azure广告设置角色声明？_Asp.net Core_Azure Active Directory_Authorization_Claims Based Identity_Authorize Attribute

Asp.net core 如何在Blazor Wasm中使用Azure广告设置角色声明？

asp.net-core azure-active-directory

Asp.net core 如何在Blazor Wasm中使用Azure广告设置角色声明？,asp.net-core,azure-active-directory,authorization,claims-based-identity,authorize-attribute,Asp.net Core,Azure Active Directory,Authorization,Claims Based Identity,Authorize Attribute,我正在使用Azure AD身份验证进行身份验证。我使用CustomAccountFactory将自定义声明添加到我的身份中。下面是program.cs文件的外观： builder.Services.AddMsalAuthentication<RemoteAuthenticationState, CustomUserAccount>(options => { builder.Configuration.Bind("Az

我正在使用Azure AD身份验证进行身份验证。我使用CustomAccountFactory将自定义声明添加到我的身份中。下面是program.cs文件的外观：

    builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
      CustomUserAccount>(options =>
      {
          builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
          options.ProviderOptions.DefaultAccessTokenScopes.Add("https://graph.microsoft.com/openid");
          options.UserOptions.RoleClaim = "appRole";
      }).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
  CustomUserFactory>();

它返回False。这些角色作为键值对添加到声明中，如“appRole”：“ADMIN”。但是，是否未设置授权服务器上的角色？此外，它还显示在任何视图的上下文中

我需要做什么来确保获得这些角色。

问题可能是，在角色授权中，您使用的是角色名称，但在构造函数中，您使用的是userIdentity.AddClaim（新声明（“appRole”，role.RsecGrpId）；。没有看到你的CustomUserAccount，我不确定

尝试更改： AddClaim（新声明（“appRole”，role.RsecGrpId））

到

AddClaim（新声明（“appRole”，角色））

 public class CustomUserFactory
: AccountClaimsPrincipalFactory<CustomUserAccount>
{
    private readonly ILogger<CustomUserFactory> logger;
    private readonly IHttpClientFactory clientFactory;

 
    public IUserService _userService { get; set; }

    public CustomUserFactory(IAccessTokenProviderAccessor accessor,IUserService userService,
        ILogger<CustomUserFactory> logger)
        : base(accessor)
    {
        this.logger = logger;
        _userService = userService;
    }

    public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
        CustomUserAccount account,
        RemoteAuthenticationUserOptions options)
    {
        var initialUser = await base.CreateUserAsync(account, options);

        if (initialUser.Identity.IsAuthenticated)
        {
            var userIdentity = (ClaimsIdentity)initialUser.Identity;

            if (_userService != null)
            {
                var roles = await _userService.GetUserRolesByUserName("UsernameTest").ConfigureAwait(true);

                Console.WriteLine("roles count before: " + roles?.Count);
                Console.WriteLine("claims count before: " + userIdentity.Claims.Count());

                foreach (var role in roles)
                {
                  //  userIdentity.AddClaim(new Claim(ClaimTypes.Role, role.RsecGrpId));

                    userIdentity.AddClaim(new Claim("appRole", role.RsecGrpId));


                }

                Console.WriteLine("roles count after: " + roles?.Count);
                Console.WriteLine("claims count after: " + userIdentity.Claims.Count());

 

            }
            Console.WriteLine("printing claims");
            foreach (var item in userIdentity.Claims)
            {
        
                Console.WriteLine(item?.Value);
                Console.WriteLine(item?.Type);
            }
       
        }

        return initialUser;
    }
}

   @attribute [Authorize(Roles = "ADMIN")]