如何向Windows用户添加声明 [英] How to add claims to windows user

问题描述

我有一个启用Windows应用程序的dotnet核心api应用程序.我们有一堆具有特殊权限"admin"并存储在数据库中的用户，其余所有用户都具有默认权限"user".我希望用户对数据库中的所有人有额外的要求.另外，我想存储更多信息，例如emailid，员工编号(必须手动从LDAP查询)

I have a dotnet core api app with windows app enabled. We have bunch of users which have special permission 'admin' and are stored in database, rest all have default permission 'user'. I want users to have extra claims who all are in database. Also I want to store more information like emailid, employee number(which I have to query from LDAP manually)

我想我将拥有一个api，例如 api/auth ，它将捕获当前用户并根据数据库和ldap查询添加声明，其他api端点都可以使用它.

What I thought is I will have one api, say api/auth which will capture the current user and add claims based on database and ldap query and other api end points can use it.

但是我不知道如何在不同的api端点之间添加和保留声明.

But I am not able to get how to add and persist claims between different api end points.

有可能吗，或者这是一个好方法?我还有第二个选择，可以在每次api调用时访问数据库.

Is it possible, and or is it a good way? I have second option to hit the database on each api call.

我编写了一个中间件，该中间件可拦截所有api请求并搜索LDAP/数据库，创建一个 ClaimsIndentity 并将其添加到 Users.Identity 中.然后在整个通话中都可以使用它.

Edit 1: I have written a middleware which intercepts all api request and searches LDAP/database, creates an ClaimsIndentity and add it to Users.Identity. Then it is available through rest of the call.

当我是@Ondra Starenko的答案时，我无法引用 IClaimsTransformer 或 app.UseClaimsTransformation .还有什么我需要包括的吗?

Edit 2: When I am @Ondra Starenko's answer, I am not able to reference IClaimsTransformer or app.UseClaimsTransformation. Is there something else I need to include.

平台:.NET Core 2.1.3

Platform: .NET core 2.1.3

推荐答案

.NET Core 2+中的IClaimsTransformer已被弃用.而是使用IClaimsTransformation:

In .NET Core 2+ IClaimsTransformer has been deprecated. Instead use IClaimsTransformation:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;

public class ClaimsTransformer : IClaimsTransformation
{ 
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var ci = (ClaimsIdentity) principal.Identity;
        var c = new Claim(ci.RoleClaimType, "Admin");
        ci.AddClaim(c);
        return Task.FromResult(principal);
    }
}

还请注意，您不应使用"ClaimTypes.Role".您应该使用ci.RoleClaimType-特别是如果您启用了Windows身份验证.在Windows身份验证下，ci.RoleClaimType评估为某个字符串值，该字符串值将作为角色正确获取，而ClaimTypes.Role则不会.

Also note that you should not use "ClaimTypes.Role". You should use ci.RoleClaimType - Especially if you have Windows Authentication enabled. Under Windows Authentication ci.RoleClaimType evaluates to some string value that will get picked up correctly as a role, whereas ClaimTypes.Role will not.

最后将您的ClaimsTransformer添加到Startup.cs的ConfigureServices方法中:

Finally inject your ClaimsTransformer by adding it to the ConfigureServices method of Startup.cs:

services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();

您现在应该能够将基于角色的授权属性添加到Controller方法中，并且这些属性现在将被正确评估:

You should now be able to add Role based Authorization attributes to your Controller methods and these will now be evaluated correctly:

[Authorize(Roles = "Admin")]
[HttpGet("[action]/{id}")]        
public User GetUser([FromRoute] int id)
{
    UserLogic ul = new UserLogic();
    return ul.GetUser(id);
}

这篇关于如何向Windows用户添加声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！