因此,我遵循以下示例: 托管的Blazor Web Assembly AAD B2C:here Azure Active Directory组和角色:here
我首先实现了Hosted Blazor Web程序集,并且运行良好。去实施“小组和角色”部分,开始遇到问题。
一切都是如示例中的逐字逐句,但不确定我是否在客户端中合并或设置了Program.cs。尝试呼叫时,我收到“ Microsoft.AspNetCore.Authorization.DefaultAuthorizationService [2] 授权失败。”
不幸的是,我的断点都不起作用,所以我认为我会伸出援手,看看是否有人提出任何建议。 这是从Blazor的脚手架构建的。 这是我的客户端应用设置中的program.cs。
builder.Services.AddHttpClient("<Server Project Name>", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
// Supply HttpClient instances that include access tokens when making requests to the server project
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("KeeperLife.UI.ServerAPI"));
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Full path to >/API.Access ");
});
builder.Services.AddScoped<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddHttpClient("GraphAPI",
client => client.BaseAddress = new Uri("https://graph.microsoft.com"))
.AddHttpMessageHandler<GraphAPIAuthorizationMessageHandler>();
builder.Services.AddMsalAuthentication<RemoteAuthenticationState,
CustomUserAccount>(options =>
{
builder.Configuration.Bind("AzureAd",
options.ProviderOptions.Authentication);
//Originally this was "..." but it seemed to break base config so i added the same as above and that worked but then tested with it commented out and it still worked so left it commented out.
//options.ProviderOptions.DefaultAccessTokenScopes.Add("https://<Url to full API PAth>/API.Access");
options.ProviderOptions.AdditionalScopesToConsent.Add(
"https://graph.microsoft.com/Directory.Read.All");
})
.AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount,
CustomUserFactory>();
builder.Services.AddAuthorizationCore(options =>
{
options.AddPolicy("SiteAdmin", policy =>
policy.RequireClaim("group", "<The Object ID of the group>"));
});
答案 0 :(得分:1)
不确定断点为何不起作用。但是据我所知,AAD B2C并未提供现成的RBAC功能。
在Azure AD中,我们可以通过修改应用程序清单"groupMembershipClaims": "SecurityGroup"
中的“ groupMembershipClaims”字段来实现它。但是它在Azure AD B2C中不可用。
有一种解决方法。将新的声明类型“组”添加到自定义策略中,然后调用Microsoft Graph以获取用户的组。这是example供您参考。
对此user voice post进行投票会很有帮助。