Azure的AD应用程序角色 [英] Azure AD application roles
问题描述
我试图创建通过Azure的AD应用程序角色受保护的控制器。
I'm trying to create a protected controller via Azure AD application roles.
下面是Startup.Auth,它基本上是由Visual Studio模板提供豁免:
Here is an exempt from Startup.Auth, which is basically provided by Visual Studio template:
public void ConfigureAuth(IAppBuilder app)
{
ApplicationDbContext db = new ApplicationDbContext();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
return Task.FromResult(0);
}
}
});
}
试过ApiController有属性,如:
Tried ApiController having attributes like:
[Authorize(Roles = "Administrators")]
// GET: api/Questions
[ResponseType(typeof(Question))]
public IHttpActionResult GetQuestions()
{
....
}
和一个MVC控制器:
[Authorize(Roles = "Administrators")]
public ActionResult Index()
{
....
}
在Azure应用程序清单中定义如下:
In Azure Application manifest defined the following:
"appRoles": [
{
"id": "B4531A9A-0DC8-4015-8CE5-CA1DA1D73754",
"allowedMemberTypes": ["User"],
"description": "Administrators",
"displayName": "Administrators",
"value": "Administrators",
"isEnabled": true,
"origin": "Application"
}
]
为/ API /问题
现在执行GET请求重定向到 https://login.microsoftonline.com 和用户验证似乎是成功的,旁边还有本地主机与微软之间的在线请求一个无限循环。见下图:
Now executing GET request for /api/Questions redirects to https://login.microsoftonline.com and user authentication seems to be successful, beside there is an infinite loop of requests between localhost and microsoft online. See below:
这是什么,我做错了什么?
What is it that I am doing wrong?
使用[授权]的作品就好。
Using [Authorize] works just fine.
推荐答案
原来应加入Startup.Auth以下内容:
It turns out the following should be added to Startup.Auth:
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = true,
// map the claimsPrincipal's roles to the roles claim
RoleClaimType = "roles",
}
它实际上是为了与默认行为,它映射配置角色索赔类型。
优秀的解释,请访问:
<一href=\"https://samlman.word$p$pss.com/2015/03/09/using-roles-in-azure-applications/\">https://samlman.word$p$pss.com/2015/03/09/using-roles-in-azure-applications/
这篇关于Azure的AD应用程序角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!