我正在考虑从IdentityServer3升级到IdentityServer4,特别是因为我们正在将现有项目从.NET 4.5升级到.NET Core 3.1。
我现在看到的最大问题是,我们使用ResourceAuthorize属性来检查用户是否具有对资源的权限
[ResourceAuthorize("Read","urn://someresource")]
但是,仔细阅读ID4文档和代码库,看起来好像不存在ResourceAuthorize。该文档的确显示了使用Authorize的示例,但是我没有看到任何可以检查资源许可的内容。
范式是否已更改,或者还有另一种方法可以对ID4进行此类检查?
答案 0 :(得分:1)
您可以添加策略:
Startup.cs
services.AddAuthorization(authorizationOptions =>
{
authorizationOptions.AddPolicy(
"SomePolicy",
policyBuilder =>
{
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(
new SomePolicyRequirement());
});
});
SomePolicyRequirement.cs
public class SomePolicyRequirement : IAuthorizationRequirement
{
public SomePolicyRequirement()
{
}
}
SomePolicyHandler.cs
public class SomePolicyHandler : AuthorizationHandler<SomePolicyRequirement>
{
public SomePolicyHandler()
{
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SomePolicyRequirement requirement)
{
var endpoint = context.Resource as Endpoint;
if (endpoint == null)
{
context.Fail();
return Task.CompletedTask;
}
/*
//RouteData can be controller, action or id
var imageId = filterContext.RouteData.Values["id"].ToString();
if (!Guid.TryParse(imageId, out Guid imageIdAsGuid))
{
context.Fail();
return Task.CompletedTask;
}*/
/*
//Repository check can go here
var ownerId = context.User.Claims.FirstOrDefault(c => c.Type == "sub").Value;
if (!_someRepository.IsImageOwner(imageIdAsGuid, ownerId))
{
context.Fail();
return Task.CompletedTask;
}*/
// all checks out
context.Succeed(requirement);
return Task.CompletedTask;
}
}
答案 1 :(得分:0)
Dotnet核心添加了一些很棒的授权功能。基于策略的授权可以非常轻松地实现基于资源的授权。