C# 如何在.net core上配置AddAuthorization以允许多个令牌提供程序的角色?
我正在构建一个API,该API需要使用OpenIddict或ADFS生成的自己的令牌以及控制器上的includer角色进行身份验证C# 如何在.net core上配置AddAuthorization以允许多个令牌提供程序的角色?,c#,.net,jwt,authorization,adfs,C#,.net,Jwt,Authorization,Adfs,我正在构建一个API,该API需要使用OpenIddict或ADFS生成的自己的令牌以及控制器上的includer角色进行身份验证[Authorize(roles=“A1,A2”)]。但是,如果添加任何非默认选项,则角色不起作用: My startup.csConfigureServices方法 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => {
[Authorize(roles=“A1,A2”)]
。但是,如果添加任何非默认选项,则角色不起作用:
My startup.csConfigureServices方法
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = authenticationOptions.Issuer;
options.Audience = authenticationOptions.Audience;
options.RequireHttpsMetadata = !hostingEnvironment.IsDevelopment();
options.IncludeErrorDetails = true;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateLifetime = true,
ValidateIssuer = true,
ValidIssuer = authenticationOptions.Issuer,
ValidateAudience = true,
ValidAudience = authenticationOptions.Audience,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new X509SecurityKey(LoadCertificate(services))
};
})
.AddJwtBearer("ADFS", options =>
{
options.Authority = appSettings.AdfsAuthority;
options.Audience = appSettings.AdfsAudience;
options.IncludeErrorDetails = true;
options.MetadataAddress = appSettings.AdfsMetadataAddress;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateLifetime = true,
ValidateIssuer = true,
ValidIssuer = appSettings.AdfsIssuer,
ValidateAudience = true,
ValidAudience = appSettings.AdfsAudience,
ValidateIssuerSigningKey = true
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("A2", policy => policy.RequireRole("A2"));
//options.AddPolicy("A1", policy => policy.RequireRole("A1"));
var policies = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme, "ADFS")
.RequireAuthenticatedUser()
.RequireRole("A1")
.Build();
options.DefaultPolicy = policies;
});
如果我只使用一个AddJwtBearer
提供者,则角色策略的作用如下:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = authenticationOptions.Issuer;
options.Audience = authenticationOptions.Audience;
options.RequireHttpsMetadata = !hostingEnvironment.IsDevelopment();
options.IncludeErrorDetails = true;
options.SaveToken = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateLifetime = true,
ValidateIssuer = true,
ValidIssuer = authenticationOptions.Issuer,
ValidateAudience = true,
ValidAudience = authenticationOptions.Audience,
ValidateIssuerSigningKey = true,
IssuerSigningKey = new X509SecurityKey(LoadCertificate(services))
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("A2", policy => policy.RequireRole("A2"));
});
或
有人能帮忙吗?我猜问题出在
AddAuthorization
上,因为RequireRole
配置总是应用于默认模式,在这种情况下,它从来不会应用于自定义模式“ADFS”。我已经对其进行了排序,更改了authorization过滤器,以便添加像[authorization(authorizationschemes=“ADFS,Bearer”,Roles=“A1,A2”)]
我必须更新AddAuthorization
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("ADFS", JwtBearerDefaults.AuthenticationScheme)
.Build();
});
顺便问一下:当您使用自定义策略A1和A2时,不应该是
[授权(Policy=“A1”)]
和[授权(Policy=“A2”)]
而不是[授权(Roles=“A1,A2”)]
(不知道[授权(Policy=“A1,A2”)]
吗?不,我必须添加AuthenticationSchemes以授权筛选器,如[Authorize(Authorize(authorizationSchemes=“ADFS,Bearer”,Roles=“A1,A2”)]
,谢谢
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("ADFS", JwtBearerDefaults.AuthenticationScheme)
.Build();
});