身份授权属性使用Web API角色 [英] Identity Authorize Attribute Roles with Web API

问题描述

我有一个使用标识使用Owin承载令牌来管理用户一个小型的Web API应用程序。这个实施做工精细的基础知识：我可以将用户注册，登录标有用户和访问的Web API终点[授权]

I have a small Web API application that uses Identity to manage users using Owin Bearer Tokens. The basics of this implementation work fine: I can register a user, login a user and access Web API end points that are marked with [Authorize].

我的下一个步骤是限制使用角色的Web API端点。例如，控制器，只有在管理员角色的用户可以访问。我创建了如下管理员用户，我将它们添加到管理角色。然而，当我从更新现有的控制器[授权] 到 [授权（角色=管理员）] ，并尝试使用ADIM帐户来访问它，我得到一个 401未授权。

My next step is to limit Web API endpoints using roles. For example, a controller that only users in the Admin role can access. I've created the Admin user as below and I add them to the Admin role. However when I update my existing controllers from [Authorize] to [Authorize(Roles = "Admin")] and try to access it using the Adim account, I get a 401 Unauthorized.

    //Seed  on Startup
    public static void Seed()
    {
        var user = await userManager.FindAsync("Admin", "123456");
        if (user == null)
        {
            IdentityUser user = new IdentityUser { UserName = "Admin" };
            var createResult = await userManager.CreateAsync(user, "123456");

            if (!roleManager.RoleExists("Admin"))
                var createRoleResult = roleManager.Create(new IdentityRole("Admin"));

            user = await userManager.FindAsync("Admin", "123456");
            var addRoleResult = await userManager.AddToRoleAsync(user.Id, "Admin");
        }
    }


   //Works
   [Authorize]
    public class TestController : ApiController
    {
        // GET api/<controller>
        public bool Get()
        {
            return true;
        }
    }

   //Doesn't work
   [Authorize(Roles = "Admin")]
    public class TestController : ApiController
    {
        // GET api/<controller>
        public bool Get()
        {
            return true;
        }
    }

---

问：什么是设置和使用角色的正确方法

推荐答案

如何设置对用户的要求，当他们登录我相信你缺少的方法，这行code的 GrantResourceOwnerCredentials

How do you set the claims for the users when they login I believe you are missing this line of code in method GrantResourceOwnerCredentials

 var identity = new ClaimsIdentity(context.Options.AuthenticationType);
 identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
 identity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
 identity.AddClaim(new Claim(ClaimTypes.Role, "Supervisor"));

如果你想创建数据库的身份使用如下：

And if you want to create the identity from DB use the below:

 public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager, string authenticationType)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
        // Add custom user claims here
        return userIdentity;
    }

然后在 GrantResourceOwnerCredentials 做如下：

ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, OAuthDefaults.AuthenticationType);

这篇关于身份授权属性使用Web API角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！