带有自定义角色声明的Azure移动应用程序身份验证-声明消失

本文关键字:声明 应用程序 身份验证 消失 移动 自定义 角色 Azure | 更新日期: 2023-09-27 18:14:19

我们有一个使用社交网络认证的Azure移动应用程序。尝试使用自定义令牌处理程序将用户角色添加为声明。

这在本地主机上运行时都有效——令牌添加到令牌处理程序中,并且在调用AuthorizationAttribute OnAuthorization方法时可用。带有指定角色的Authorize属性按预期工作。

但是当运行Azure时,声明被添加,但是当调用OnAuthorization方法时,自定义角色声明就消失了。

代码如下:

启动/Config类 

public class OwinStartup
{
    public void Configuration(IAppBuilder app)
    {
        var config = GlobalConfiguration.Configuration;
        new MobileAppConfiguration()
        .AddPushNotifications()
        .ApplyTo(config);
        MobileAppSettingsDictionary settings = config.GetMobileAppSettingsProvider().
GetMobileAppSettings();
        app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()
        {
            SigningKey = ConfigurationManager.AppSettings["authSigningKey"],
            ValidAudiences = new[] { ConfigurationManager.AppSettings["authAudience"] },
            ValidIssuers = new[] { ConfigurationManager.AppSettings["authIssuer"] },
            TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
        });
        //Authenticate stage handler in OWIN Pipeline
        app.Use((context, next) =>
        {
            return next.Invoke();
        });
        app.UseStageMarker(PipelineStage.Authenticate);
    }

添加角色声明的令牌处理器

public class AppServiceTokenHandlerWithCustomClaims : AppServiceTokenHandler
{
    public AppServiceTokenHandlerWithCustomClaims(HttpConfiguration config)
        : base(config)
    {
    }
    public override bool TryValidateLoginToken(
        string token,
        string signingKey,
        IEnumerable<string> validAudiences,
        IEnumerable<string> validIssuers,
        out ClaimsPrincipal claimsPrincipal)
    {
        var validated = base.TryValidateLoginToken(token, signingKey, validAudiences, validIssuers, out claimsPrincipal);
        if (validated)
        {
            string sid = claimsPrincipal.FindFirst(ClaimTypes.NameIdentifier).Value;
            var roleProvider = UnityConfig.Container.Resolve<IRoleProvider>("RoleProvider");
            var roles = roleProvider.GetUserRolesBySid(sid);
            foreach (var role in roles)
            {
                ((ClaimsIdentity)claimsPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, role));
            }
        }
        return validated;
    }
}

角色声明来自身份声明集合

的角色声明示例
{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: admin}

授权Web Api控制器的属性

[Authorize(Roles = "admin")]

对具有指定一个或多个角色的授权属性的端点的每个调用都失败(401)

不确定在Azure中运行时,声明是否被剥离或未在Identity中持久化是怎么回事。

谢谢迈克尔。

带有自定义角色声明的Azure移动应用程序身份验证-声明消失

我在书中有一章是关于这个的- https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/#using-third-party-tokens

注意带有附加声明的自定义身份验证。您需要使用原始令牌调用自定义API,检查令牌的有效性,然后生成具有所需声明的新令牌(zumo令牌)。然后,您可以将这些声明用于所需的任何内容。

根据这篇博文,你的一些选择可能是错误的。AppSettings仅用于本地调试,在Azure中不起作用。

试试这个:

public void Configuration(IAppBuilder app)
{
    var config = GlobalConfiguration.Configuration;
    new MobileAppConfiguration()
        .AddPushNotifications()
        .ApplyTo(config);
    MobileAppSettingsDictionary settings = config
        .GetMobileAppSettingsProvider()
        .GetMobileAppSettings();
    // Local Debugging
    if (string.IsNullOrEmpty(settings.HostName))
    {
        app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions()
        {
            SigningKey = ConfigurationManager.AppSettings["authSigningKey"],
            ValidAudiences = new[] { ConfigurationManager.AppSettings["authAudience"] },
            ValidIssuers = new[] { ConfigurationManager.AppSettings["authIssuer"] },
            TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
        });
    }
    // Azure
    else
    {
        var signingKey = GetSigningKey();
        string hostName = GetHostName(settings);
        app.UseAppServiceAuthentication(new AppServiceAuthenticationOptions
        {
            SigningKey = signingKey,
            ValidAudiences = new[] { hostName },
            ValidIssuers = new[] { hostName },
            TokenHandler = new AppServiceTokenHandlerWithCustomClaims(config)
        });
    }

    //Authenticate stage handler in OWIN Pipeline
    app.Use((context, next) =>
    {
        return next.Invoke();
    });
    app.UseStageMarker(PipelineStage.Authenticate);
}
private static string GetSigningKey()
{
    // Check for the App Service Auth environment variable WEBSITE_AUTH_SIGNING_KEY,
    // which holds the signing key on the server. If it's not there, check for a SigningKey
    // app setting, which can be used for local debugging.
    string key = Environment.GetEnvironmentVariable("WEBSITE_AUTH_SIGNING_KEY");
    if (string.IsNullOrWhiteSpace(key))
    {
        key = ConfigurationManager.AppSettings["SigningKey"];
    }
    return key;
}
private static string GetHostName(MobileAppSettingsDictionary settings)
{
    return string.Format("https://{0}/", settings.HostName);
}

相关文章: