asp net core 2和Azure AD B2C,添加基于组的授权

时间:2017-12-04 20:41:24

标签: asp.net-core-2.0 asp.net-core-webapi azure-ad-b2c azure-ad-graph-api

我使用azure AD B2C创建一个asp net core 2 web api进行身份验证。 我想使用AD B2C组来限制某些控制器对管理员的使用。

我已经明白,目前实现这一目标的唯一方法是访问图表API并向用户的声明添加一些角色声明。

但是我在启动时查询图api时遇到了麻烦。

我的ConfigureService方法如下所示:

services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
       .AddAzureAdB2C(options => Configuration.Bind("AzureAdB2C", options))
            .AddJwtBearer(options => {
                options.Authority = string.Format("https://login.microsoftonline.com/tfp/{0}/{1}/v2.0/", "b2ctenant.onmicrosoft.com", "B2C_1_DefaultSignUpIn");
                options.Audience = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx";
                options.Events = new JwtBearerEvents
                {
                    OnTokenValidated = OnAuthorizationCodeReceived,
                };
            })
       .AddCookie(options =>
       {
           options.LoginPath = "/Account/SignIn";
           options.LogoutPath = "/Account/SignOut";
           options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
           options.Events = new CookieAuthenticationEvents
           {
               OnRedirectToLogin = OnRedirectToLogin
           };
       });

并且OnAuthorizationCodeReceived看起来像这样:

private async Task OnAuthorizationCodeReceived(Microsoft.AspNetCore.Authentication.JwtBearer.TokenValidatedContext ctx)
{
    await Task.Run(async () =>
    {
        var oidClaim = ctx.Principal.Claims.FirstOrDefault(c => c.Type == "http://schemas.microsoft.com/identity/claims/objectidentifier");
        if (!string.IsNullOrWhiteSpace(oidClaim?.Value))
        {
            var users = aadClient.Users;
            var pagedCollection = await this.aadClient.Users.GetByObjectId(oidClaim.Value).MemberOf.ExecuteAsync();

            do
            {
                var directoryObjects = pagedCollection.CurrentPage.ToList();
                foreach (var directoryObject in directoryObjects)
                {
                    var group = directoryObject as Microsoft.Azure.ActiveDirectory.GraphClient.Group;
                    if (group != null)
                    {
                        ((ClaimsIdentity)ctx.Principal.Identity).AddClaim(new Claim(ClaimTypes.Role, group.DisplayName, ClaimValueTypes.String));
                    }
                }
                pagedCollection = pagedCollection.MorePagesAvailable ? await pagedCollection.GetNextPageAsync() : null;
            }
            while (pagedCollection != null);
        }
    });

}

我在下一行失败了:

var pagedCollection = await 
 this.aadClient.Users.GetByObjectId(oidClaim.Value).MemberOf.ExecuteAsync();

例外是System.PlatformNotSupportedException: Secure binary serialization is not supported on this platform.

我猜这是对asp net core的限制,但我无法想出如何为此设置解决方法。

感谢您的帮助!

0 个答案:

没有答案
相关问题
最新问题