情况
我想为我的 Web 应用程序使用 Azure B2C 身份验证服务。但是,我希望应用程序的管理员限制对某些电子邮件或域的访问,例如白名单,如下所示:
- tom1@abc.com
- tom2@def.com
- *@alphabet.com
因此,只有前两封电子邮件以及电子邮件以“alphabet.com”结尾的任何其他人都可以访问该网站。
问题
我已经实现了一切并且它工作正常,但是我正在努力让经过身份验证的用户的电子邮件地址在登录/登录过程中进行白名单检查。AuthenticationTicket 包含所有请求的声明(名字、姓氏、名称、对象标识符等),但电子邮件不存在(已在 Azure B2C 中设置为声明)。
我如何访问电子邮件,这是检查的正确位置吗?
代码在Startup.App.cs
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy(string policy)
{
return new OpenIdConnectAuthenticationOptions
{
// For each policy, give OWIN the policy-specific metadata address, and
// set the authentication type to the id of the policy
MetadataAddress = String.Format(aadInstance, tenant, policy),
AuthenticationType = policy,
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = clientId,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = AuthenticationFailed,
AuthorizationCodeReceived = (context) =>
{
// no claims present here
return Task.FromResult(0);
},
SecurityTokenReceived = (context) =>
{
// no claims present here
return Task.FromResult(0);
},
SecurityTokenValidated = (context) =>
{
// print all claims - quite a few except email :( Is this where this check should be done?
foreach (var claim in context.AuthenticationTicket.Identity.Claims)
{
Console.WriteLine(claim.Value);
}
return Task.FromResult(0);
},
},
Scope = "openid",
ResponseType = "id_token",
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
};
}
非常感谢任何帮助。