如何向 Windows 用户添加声明 [英] How to add claims to windows user
问题描述
我有一个启用了 Windows 应用程序的 dotnet 核心 API 应用程序.我们有一堆用户具有特殊权限admin"并存储在数据库中,其余的都具有默认权限user".我希望用户有额外的声明,他们都在数据库中.我还想存储更多信息,如电子邮件 ID、员工编号(我必须手动从 LDAP 查询)
我的想法是我会有一个 api,比如 api/auth,它将捕获当前用户并添加基于数据库和 ldap 查询的声明,其他 api 端点可以使用它.
但我不知道如何在不同的 api 端点之间添加和保留声明.
有没有可能,或者是一个好方法?我有第二个选项可以在每次 api 调用时访问数据库.
我编写了一个中间件,它拦截所有 api 请求并搜索 LDAP/数据库,创建一个 ClaimsIndentity 并将其添加到 Users.Identity.然后它可以通过剩余的通话使用.
当我是@Ondra Starenko 的答案时,我无法引用 IClaimsTransformer 或 app.UseClaimsTransformation.还有什么我需要包括的.
平台:.NET core 2.1.3
在 .NET Core 2+ 中 IClaimsTransformer 已被弃用.而是使用 IClaimsTransformation:
使用 System.Security.Claims;使用 System.Threading.Tasks;使用 Microsoft.AspNetCore.Authentication;公共类 ClaimsTransformer : IClaimsTransformation{公共任务<ClaimsPrincipal>TransformAsync(ClaimsPrincipal 主体){var ci = (ClaimsIdentity) principal.Identity;var c = new Claim(ci.RoleClaimType, "Admin");ci.AddClaim(c);返回 Task.FromResult(principal);}}另请注意,您不应使用ClaimTypes.Role".您应该使用 ci.RoleClaimType - 特别是如果您启用了 Windows 身份验证.在 Windows 身份验证下,ci.RoleClaimType 评估为一些字符串值,该值将作为角色被正确提取,而 ClaimTypes.Role 不会.
最后将您的 ClaimsTransformer 添加到 Startup.cs 的 ConfigureServices 方法中:
services.AddSingleton(); 您现在应该能够将基于角色的授权属性添加到您的控制器方法中,并且现在将正确评估这些属性:
[授权(角色=管理员")][HttpGet("[action]/{id}")]公共用户 GetUser([FromRoute] int id){UserLogic ul = new UserLogic();返回 ul.GetUser(id);}I have a dotnet core api app with windows app enabled. We have bunch of users which have special permission 'admin' and are stored in database, rest all have default permission 'user'. I want users to have extra claims who all are in database. Also I want to store more information like emailid, employee number(which I have to query from LDAP manually)
What I thought is I will have one api, say api/auth which will capture the current user and add claims based on database and ldap query and other api end points can use it.
But I am not able to get how to add and persist claims between different api end points.
Is it possible, and or is it a good way? I have second option to hit the database on each api call.
Edit 1:
I have written a middleware which intercepts all api request and searches LDAP/database, creates an ClaimsIndentity and add it to Users.Identity. Then it is available through rest of the call.
Edit 2:
When I am @Ondra Starenko's answer, I am not able to reference IClaimsTransformer or app.UseClaimsTransformation. Is there something else I need to include.
Platform: .NET core 2.1.3
In .NET Core 2+ IClaimsTransformer has been deprecated. Instead use IClaimsTransformation:
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
public class ClaimsTransformer : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var ci = (ClaimsIdentity) principal.Identity;
var c = new Claim(ci.RoleClaimType, "Admin");
ci.AddClaim(c);
return Task.FromResult(principal);
}
}
Also note that you should not use "ClaimTypes.Role". You should use ci.RoleClaimType - Especially if you have Windows Authentication enabled. Under Windows Authentication ci.RoleClaimType evaluates to some string value that will get picked up correctly as a role, whereas ClaimTypes.Role will not.
Finally inject your ClaimsTransformer by adding it to the ConfigureServices method of Startup.cs:
services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();
You should now be able to add Role based Authorization attributes to your Controller methods and these will now be evaluated correctly:
[Authorize(Roles = "Admin")]
[HttpGet("[action]/{id}")]
public User GetUser([FromRoute] int id)
{
UserLogic ul = new UserLogic();
return ul.GetUser(id);
}
这篇关于如何向 Windows 用户添加声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
