8

在使用AspNetAuthorization教程测试IdentityServer4时,我添加了一个简单的,从那时起我得到了这个错误:[Authorize(Roles = "Administrator")]

AuthenticationScheme:承载被禁止。

我的用户有这个要求: new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String)

ConfigureServices方法:

 services.AddAuthorization(options =>
        {
            options.AddPolicy("AdministratorOnly", policy => policy.RequireRole("Administrator"));
        });

        services.AddMvc(config =>
        {
            var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();

            config.Filters.Add(new AuthorizeFilter(policy));
        });

并在Configure方法中:

   app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions()
        {
            Authority = "http://localhost:5000",
            ScopeName = "openid",
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            RequireHttpsMetadata = false,
        });

调试输出:

Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Debug: Executing action LearningEntityServer4.OAuth.ValuesController.Get (LearningEntityServer4.OAuth)
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful for user: myuser.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed for user: myuser.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes ().
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware: Information: AuthenticationScheme: Bearer was forbidden.

我在配置中错过了什么?

PS:我已经检查了这个SO 帖子,但没有成功。

4

3 回答 3

15

我终于找到时间写下角色检查在索赔世界中的工作原理:

https://leastprivilege.com/2016/08/21/why-does-my-authorize-attribute-not-work/

简而言之 - 确保您用于角色的声明类型与您的 ClaimsIdentity 上的 RoleClaimType 匹配。或者在您的政策中替换RequireRoleRequireClaim并使用正确的类型。

于 2016-08-21T09:59:03.227 回答
2

事实上,我在阅读@leastprivilege 详细答案之前解决了我的问题。

问题在于声明类型的命名,

我更改了以下内容:

new Claim(ClaimTypes.Role, "Administrator");

对此:

new Claim(JwtClaimTypes.Role, "Administrator");

并且授权有效。这是因为它们之间的底层字符串值不同,而我的配置期望的是“角色”:

ClaimTypes.Role => "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
JwtClaimTypes.Role => "role"

或者可以根据他的回答来做到这一点:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions()
    {
        Authority = "http://localhost:5000",
        ScopeName = "scope",
        ScopeSecret = "secret",
        AutomaticAuthenticate = true,
        AutomaticChallenge = true,
        RequireHttpsMetadata = false,

        RoleClaimType = "role"

    });

有关其背后的详细原因,请阅读@leastprivilege 答案

于 2016-08-22T08:24:57.383 回答
0

根据附加资源,您实际上应该将策略名称放在授权属性中,如下所示[Authorize("AdministratorOnly")]

https://damienbod.com/2016/02/14/authorization-policies-and-data-protection-with-identityserver4-in-asp-net-core/

于 2016-08-20T07:49:45.177 回答