我如何在ASP.NET Core MVC Web应用程序内部将Authorize属性限制为仅某些用户 [英] How i can restrict the Authorize attribute to certain users only, inside my asp.net core mvc web application
问题描述
我创建了一个新的asp.net MVC核心Web应用程序,并将其设置为使用具有多个组织的工作或学校帐户,如下所示:
现在,如果我将[Authorize]属性添加到操作方法中,则将要求用户首先登录.但是我的问题是我如何只允许某些用户访问该操作方法?
第二个问题,除非用户不在预定义的列表中,我如何才能阻止用户登录到该应用程序?
要限制用户/组访问您的应用程序,您可以尝试以下解决方案:
使用Azure AD限制用户/组:
作为我的上一个答复,您始终可以在同意/在租户中注册应用程序后按客户ID查找服务原则..您可以使用 在左侧的导航菜单中,选择 确保将 然后只有分配的用户/组可以访问该应用程序.您可以通过Azure门户或Powershell将用户或组分配给应用程序. 限制应用程序内的用户/组: 方法1:对声明进行分组 您可以在Azure AD中使用 从Azure AD发出的 ID令牌将在 注意:来自文档: 如果用户属于超过超出限制的组的更多成员(SAML令牌为150,JWT令牌为200),则Microsoft身份平台不会在令牌中发出组声明.相反,它在令牌中包含超额声明,该声明指示应用程序查询Graph API以检索用户的组成员身份. 方法2:应用程序角色 您可以 解决方案 属性.需要用户分配?切换设置为是". groups Claims ,在天蓝色门户中配置您的应用程序以通过编辑清单来接收组声明:
{..."errorUrl":null,"groupMembershipClaims":"SecurityGroup",...} groups 声明中包括当前用户的组ID列表,然后在asp.net核心应用程序中,您可以通过以下方式限制访问:
services.AddControllersWithViews(options =>{var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().RequireClaim("groups","YourGroupID").建造();options.Filters.Add(new AuthorizeFilter(policy));});
To restrict users/groups to access your application , you can try below solutions :
Restrict users/groups using Azure AD :
As my previous reply , you can always find the service principle by client id after consent/register the application in tenant . You can use the users/groups assignment feature :
Sign in to the Azure portal with an administrator account or as an owner of the application.
Select
Azure Active Directory. In the left navigation menu, selectEnterprise applications.Select the application from the list. If you don't see the application, start typing its name in the search box. Or use the filter controls to select the application type, status, or visibility, and then select Apply.
In the left navigation menu, select
Properties.Make sure the
User assignment required?toggle is set to Yes.
Then only assigned users/groups could access the application . You can assign users or groups to an app via the Azure portal or Powershell.
Restrict users/groups within application :
Method 1 : Groups Claims
You can use groups claims in Azure AD , config the your application in azure portal to receive group claims by editing the manifest :
{
...
"errorUrl": null,
"groupMembershipClaims": "SecurityGroup",
...
}
ID token issued from Azure AD will include the current user's groups id list in groups claim , then in asp.net core application , you can restrict the access by :
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
Note : From document :
If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens), then the Microsoft Identity Platform does not emit the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.
Method 2 : Application roles
You can add app roles in your application , assign roles to users/groups , so that roles will include in token after user login and consent , your application could use policy to restrict access based on roles claim .
这篇关于我如何在ASP.NET Core MVC Web应用程序内部将Authorize属性限制为仅某些用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
