Azure的AD应用程序角色 [英] Azure AD application roles

问题描述

我试图创建通过Azure的AD应用程序角色受保护的控制器。

I'm trying to create a protected controller via Azure AD application roles.

下面是Startup.Auth，它基本上是由Visual Studio模板提供豁免：

Here is an exempt from Startup.Auth, which is basically provided by Visual Studio template:

public void ConfigureAuth(IAppBuilder app)
        {
            ApplicationDbContext db = new ApplicationDbContext();

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());

            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = Authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,

                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        // If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
                       AuthorizationCodeReceived = (context) => 
                       {
                           var code = context.Code;
                           ClientCredential credential = new ClientCredential(clientId, appKey);
                           string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
                           AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));
                           AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                           code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);

                           return Task.FromResult(0);
                       }
                    }
                });
        }

试过ApiController有属性，如：

Tried ApiController having attributes like:

[Authorize(Roles = "Administrators")]
// GET: api/Questions
[ResponseType(typeof(Question))]
public IHttpActionResult GetQuestions()
{
    ....
}

和一个MVC控制器：

  [Authorize(Roles = "Administrators")]
    public ActionResult Index()
    {
     ....    
    }

在Azure应用程序清单中定义如下：

In Azure Application manifest defined the following:

  "appRoles": [
      { 
        "id": "B4531A9A-0DC8-4015-8CE5-CA1DA1D73754",
        "allowedMemberTypes": ["User"], 
        "description": "Administrators",
        "displayName": "Administrators",
        "value": "Administrators",
        "isEnabled": true,
        "origin": "Application"
      }
  ]

为/ API /问题

现在执行GET请求重定向到 https://login.microsoftonline.com 和用户验证似乎是成功的，旁边还有本地主机与微软之间的在线请求一个无限循环。见下图：

Now executing GET request for /api/Questions redirects to https://login.microsoftonline.com and user authentication seems to be successful, beside there is an infinite loop of requests between localhost and microsoft online. See below:

这是什么，我做错了什么？

What is it that I am doing wrong?

使用[授权]的作品就好。

Using [Authorize] works just fine.

推荐答案

原来应加入Startup.Auth以下内容：

It turns out the following should be added to Startup.Auth:

TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidateIssuer = true,
        // map the claimsPrincipal's roles to the roles claim
        RoleClaimType = "roles",
    }

它实际上是为了与默认行为，它映射配置角色索赔类型。
优秀的解释，请访问：
<一href=\"https://samlman.word$p$pss.com/2015/03/09/using-roles-in-azure-applications/\">https://samlman.word$p$pss.com/2015/03/09/using-roles-in-azure-applications/

这篇关于Azure的AD应用程序角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！