我在.net core 3.0 API中添加了一个Costum策略,它破坏了默认的B2C身份验证方案,我不知道为什么。
我使用了Microsoft本身提供的文档-> https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-3.0
AuthenticationScheme如下所示:
services.AddAuthentication(AzureADB2CDefaults.BearerAuthenticationScheme)
.AddAzureADB2CBearer(options => {
Configuration.Bind("AzureAdB2C", options);
});
以下创建策略的代码
var groupOptions = new List<GroupOptions>();
configuration.Bind("Groups", groupOptions);
services.AddAuthorization(options =>
{
foreach (var groupOption in groupOptions)
{
options.AddPolicy(
groupOption.GroupName,
policy =>
{
policy.AddAuthenticationSchemes(AzureADB2CDefaults.BearerAuthenticationScheme);
//policy.AuthenticationSchemes.Add(AzureADB2CDefaults.BearerAuthenticationScheme);
policy.RequireAuthenticatedUser();
//policy.Requirements.Add(new IsMemberOfGroupRequirement(groupOption.GroupName, groupOption.GroupId));
policy.AddRequirements(new IsMemberOfGroupRequirement(groupOption.GroupName, groupOption.GroupId));
});
}
}).AddSingleton<IAuthorizationHandler, IsMemberOfGroupHandler>();
政策本身
public class IsMemberOfGroupRequirement : IAuthorizationRequirement
{
public readonly string GroupId;
public readonly string GroupName;
public IsMemberOfGroupRequirement(string groupName, string groupId)
{
GroupName = groupName;
GroupId = groupId;
}
}
public class IsMemberOfGroupHandler : AuthorizationHandler<IsMemberOfGroupRequirement>
{
private readonly IMicrosoftGraphConnector _microsoftGraphConnector;
private readonly IMapper _mapper;
public IsMemberOfGroupHandler(IMicrosoftGraphConnector microsoftGraphConnector, IMapper mapper)
{
_microsoftGraphConnector = microsoftGraphConnector;
_mapper = mapper;
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context, IsMemberOfGroupRequirement requirement)
{
var id = context.User.Claims.FirstOrDefault(claim => claim.Type == Constants.Claims.Id);
if (await CheckGroup(id, requirement))
{
context.Succeed(requirement);
}
}
protected async Task<bool> CheckGroup(System.Security.Claims.Claim id, IsMemberOfGroupRequirement requirement)
{
var microsoftGraphGroup = await _microsoftGraphConnector.GetMicrosoftGraphServiceClient()
.Users[id.Value].MemberOf
.Request()
.GetAsync();
var groupDTO = _mapper.Map<ICollection<GroupDTO>>(microsoftGraphGroup);
foreach (var group in groupDTO)
{
if (group.Id.Equals(requirement.GroupId))
{
return true;
}
}
return false;
}
}