使用OKTA OpenIdConnect进行基于策略的身份验证

时间:2020-03-10 20:10:09

标签: asp.net-core openid-connect okta group-policy

我有一个.net核心应用,该应用使用OpenIdConnect作为自定义授权服务器的默认身份验证方案

services.AddAuthentication(authenticationOptions =>
        {
            authenticationOptions.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddOpenIdConnect(openIdOptions =>
        {
            openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            openIdOptions.Authority = issuer;
            openIdOptions.RequireHttpsMetadata = true;
            openIdOptions.ClientId = Configuration["Okta:ClientId"];
            openIdOptions.CallbackPath = OktaDefaults.CallbackPath;
            openIdOptions.ClientSecret = Configuration["Okta:ClientSecret"];
            openIdOptions.ResponseType = OpenIdConnectResponseType.Token;
            openIdOptions.GetClaimsFromUserInfoEndpoint = true;
            openIdOptions.Scope.Add("openid");
            openIdOptions.Scope.Add("profile");
            openIdOptions.Scope.Add("groups");
            openIdOptions.SaveTokens = true;
        });

我也在使用基于策略的身份验证

services.AddAuthorization(authOptions =>{authOptions.AddPolicy(“QSGAdminPolicy”,policy => policy.RequireRole(Configuration.GetValue(“SecurityRoles:QSGAdminRole”)));
        authOptions.AddPolicy("QSGReadOnlyPolicy",
            policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReadOnlyRole")));

        authOptions.AddPolicy("QSGReviewerPolicy",
            policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReviewerRole"), Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:.QSGAdminRole")));

        authOptions.AddPolicy("QSGTraderPolicy",
           policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:QSGAdminRole")));
    });

在我的控制器中,我用授权标签和策略标记API 

[Route(“test/authentication”)]
[HttpGet]
[Authorize(Policy = “QSGReviewerPolicy”)]
public ActionResult GetTestAuth()
{
  var claims = HttpContext.User.Claims;
  return “user allowed”;
}

但我遇到错误:

fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLU51T84D7HA", Request id "0HLU51T84D7HA:00000001": An unhandled exception was 
thrown by the application.
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at System.Security.Claims.ClaimsIdentity.HasClaim(String type, String value)
at System.Security.Claims.ClaimsPrincipal.IsInRole(String role)
at Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement. 
<>c__DisplayClass4_0.<HandleRequirementAsync>b__0(String r)
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate) 
Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement.
HandleRequirementAsync(Au  
thorizationHandlerContext context, RolesAuthorizationRequirement requirement)
at Microsoft.AspNetCore.Authorization.AuthorizationHandler`1.HandleAsync(AuthorizationHandlerContext 
context)
at 
Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler.
HandleAsync(AuthorizationHandlerContext context)
at Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.AuthorizeAsync(ClaimsPrincipal 
user, Object resource, IEnumerable`1 requirements)
 at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthorizeAsync(AuthorizationPolicy 
  policy, AuthenticateResult authenticationResult, HttpContext context, Object resource)
   at 
   Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.
OnAuthorizationAsync(AuthorizationFilterContext 
 context)
 at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext] 
(IHttpApplication`1 application)

似乎没有在团体索赔中找到价值。如果我从控制器中删除该策略并仅使用[Authorize],那么它会起作用,并且我会收到带有组声明的令牌 如何在身份验证时通过策略保护我的API?

1 个答案:

答案 0 :(得分:0)

请确保您已正确设置appsettings.json中的角色:

"SecurityRoles": {
    "QSGReviewerRole": "QSGReviewerRole",
    "QSGTraderRole": "QSGTraderRole",
    "QSGAdminRole": "QSGAdminRole"
}

否则将发生错误,因为应用程序无法从config读取值。查看您的代码:

authOptions.AddPolicy("QSGReviewerPolicy",
        policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReviewerRole"), Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:.QSGAdminRole")));

注意,您正在使用SecurityRoles:.QSGAdminRole。我认为应该是SecurityRoles:QSGAdminRole

相关问题
最新问题