【发布时间】:2020-06-22 19:08:38
【问题描述】:
我有一个 .net 核心应用程序,它使用 OpenIdConnect 作为默认身份验证方案,使用自定义授权服务器
services.AddAuthentication(authenticationOptions =>
{
authenticationOptions.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(openIdOptions =>
{
openIdOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
openIdOptions.Authority = issuer;
openIdOptions.RequireHttpsMetadata = true;
openIdOptions.ClientId = Configuration["Okta:ClientId"];
openIdOptions.CallbackPath = OktaDefaults.CallbackPath;
openIdOptions.ClientSecret = Configuration["Okta:ClientSecret"];
openIdOptions.ResponseType = OpenIdConnectResponseType.Token;
openIdOptions.GetClaimsFromUserInfoEndpoint = true;
openIdOptions.Scope.Add("openid");
openIdOptions.Scope.Add("profile");
openIdOptions.Scope.Add("groups");
openIdOptions.SaveTokens = true;
});
我也在使用基于策略的身份验证
services.AddAuthorization(authOptions =>{authOptions.AddPolicy(“QSGAdminPolicy”,policy => policy.RequireRole(Configuration.GetValue(“SecurityRoles:QSGAdminRole”)));
authOptions.AddPolicy("QSGReadOnlyPolicy",
policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReadOnlyRole")));
authOptions.AddPolicy("QSGReviewerPolicy",
policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGReviewerRole"), Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:.QSGAdminRole")));
authOptions.AddPolicy("QSGTraderPolicy",
policy => policy.RequireRole(Configuration.GetValue<string>("SecurityRoles:QSGTraderRole"), Configuration.GetValue<string>("SecurityRoles:QSGAdminRole")));
});
在我的控制器中,我用授权标签和策略标记 API
[Route(“test/authentication”)]
[HttpGet]
[Authorize(Policy = “QSGReviewerPolicy”)]
public ActionResult GetTestAuth()
{
var claims = HttpContext.User.Claims;
return “user allowed”;
}
但我收到错误:
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLU51T84D7HA", Request id "0HLU51T84D7HA:00000001": An unhandled exception was
thrown by the application.
System.ArgumentNullException: Value cannot be null.
Parameter name: value
at System.Security.Claims.ClaimsIdentity.HasClaim(String type, String value)
at System.Security.Claims.ClaimsPrincipal.IsInRole(String role)
at Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement.
<>c__DisplayClass4_0.<HandleRequirementAsync>b__0(String r)
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement.
HandleRequirementAsync(Au
thorizationHandlerContext context, RolesAuthorizationRequirement requirement)
at Microsoft.AspNetCore.Authorization.AuthorizationHandler`1.HandleAsync(AuthorizationHandlerContext
context)
at
Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler.
HandleAsync(AuthorizationHandlerContext context)
at Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.AuthorizeAsync(ClaimsPrincipal
user, Object resource, IEnumerable`1 requirements)
at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthorizeAsync(AuthorizationPolicy
policy, AuthenticateResult authenticationResult, HttpContext context, Object resource)
at
Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.
OnAuthorizationAsync(AuthorizationFilterContext
context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext]
(IHttpApplication`1 application)
似乎没有找到组声明中的值。如果我从控制器中删除策略并仅使用 [Authorize] 它可以工作,并且我会收到带有组声明的令牌 如何使用身份验证策略保护我的 API?
【问题讨论】:
标签: asp.net-core openid-connect okta group-policy