问题描述

Asp.net CORE 3.x:身份验证可以与Azure Active Directory正常运行.现在，我想为所有路由实施特定AD组的授权.如何执行此授权?逐步使用Asp.NET Core吗?

Asp.net CORE 3.x :The authentication is working fine with Azure Active Directory.Now, i would like to implement the authorization a specific AD Group for all routes.How to implement this authorization ? steps by steps with Asp.NET Core ?

   public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = AzureADDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
        }).AddAzureAD(options => Configuration.Bind("AzureAD", options));

        services.AddAuthorization(options =>
        {
            options.FallbackPolicy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        });

        services.AddControllers();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();
        app.UseHttpsRedirection();
        app.UseCookiePolicy();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapDefaultControllerRoute().RequireAuthorization();
            //endpoints.MapControllers();
        });
    }
}

}

谢谢您的帮助！:)

推荐答案

您可以在Azure AD中使用 groups Claims ，在azure门户中配置应用程序以通过编辑清单来接收组声明:

You can use groups claims in Azure AD , config the your application in azure portal to receive group claims by editing the manifest :

{
  ...
  "errorUrl": null,
  "groupMembershipClaims": "SecurityGroup",
  ...
}

从Azure AD发出的

ID令牌将在 groups 声明中包括当前用户的组ID列表，然后在asp.net核心应用程序中，您可以通过以下方式限制访问:

ID token issued from Azure AD will include the current user's groups id list in groups claim , then in asp.net core application , you can restrict the access by :

services.AddControllersWithViews(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser().RequireClaim("groups", "YourGroupID")
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });

注意:来自文档:

这篇关于在Asp.Net CORE 3.x中实现Active Directory组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！