尝试通过Azure AD B2C进行身份验证,并通过AAD中的组进行授权

时间:2020-08-14 14:30:12

标签: asp.net-core azure-active-directory blazor azure-ad-b2c azure-ad-graph-api

因此,我遵循以下示例: 托管的Blazor Web Assembly AAD B2C:here Azure Active Directory组和角色:here

我首先实现了Hosted Blazor Web程序集,并且运行良好。去实施“小组和角色”部分,开始遇到问题。

一切都是如示例中的逐字逐句,但不确定我是否在客户端中合并或设置了Program.cs。尝试呼叫时,我收到“ Microsoft.AspNetCore.Authorization.DefaultAuthorizationService [2] 授权失败。”

不幸的是,我的断点都不起作用,所以我认为我会伸出援手,看看是否有人提出任何建议。 这是从Blazor的脚手架构建的。 这是我的客户端应用设置中的program.cs。

builder.Services.AddHttpClient("<Server Project Name>", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
                .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();

            // Supply HttpClient instances that include access tokens when making requests to the server project
            builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("KeeperLife.UI.ServerAPI"));

            builder.Services.AddMsalAuthentication(options =>
            {

                builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
                options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Full path to >/API.Access ");
            });
            builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();

            builder.Services.AddHttpClient("GraphAPI",
                client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
                .AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();

            builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
                CustomUserAccount>(options =>
                    {
                        builder.Configuration.Bind("AzureAd",
                            options.ProviderOptions.Authentication);
                        //Originally this was "..." but it seemed to break base config so i added the same as above and that worked but then tested with it commented out and it still worked so left it commented out.
                        //options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Url to full API PAth>/API.Access");

                        options.ProviderOptions.AdditionalScopesToConsent.Add(
                            "https://graph.microsoft.com/Directory.Read.All");
                    })
                    .AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
                        CustomUserFactory>();
            builder.Services.AddAuthorizationCore(options =>
            {
                options.AddPolicy("SiteAdmin", policy =>
                    policy.RequireClaim("group", "<The Object ID of the group>"));
            });

1 个答案:

答案 0 :(得分:1)

不确定断点为何不起作用。但是据我所知,AAD B2C并未提供现成的RBAC功能。

在Azure AD中,我们可以通过修改应用程序清单"groupMembershipClaims": "SecurityGroup"中的“ groupMembershipClaims”字段来实现它。但是它在Azure AD B2C中不可用。

有一种解决方法。将新的声明类型“组”添加到自定义策略中,然后调用Microsoft Graph以获取用户的组。这是example供您参考。

对此user voice post进行投票会很有帮助。

相关问题
最新问题