問題描述

我在 ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims 中看到了這一點:

I am seeing this in my ((System.Security.Claims.ClaimsIdentity)User.Identity).Claims:

如何使用從 Azure AD 獲取的這些組 GUID(以基于組成員身份保護端點)?

How do I make use of these group GUID's I am getting from our Azure AD (to secure the endpoint based on group membership)?

[Authorize(Roles="<group guid here>")]

或

[Authorize("<group guid here>")]

或者我需要在 startup.cs 文件中進行設置嗎?

Or do I need to set something up in the startup.cs file?

推薦答案

您可以在 asp.net core 中使用策略，使用具有命名策略的屬性，然后在啟動時定義策略以要求組聲明并設置允許的組 ID:

You could use policy in asp.net core , use an attribute with a named policy then you define the policy in startup to require group claim and set allowed Group ID :

        public void ConfigureServices(IServiceCollection services)
        {
            // Add MVC services to the services container.
            services.AddMvc();

            // Add Authentication services.
            services.AddAuthentication(sharedOptions => sharedOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);


            services.AddAuthorization(options =>
            {
                options.AddPolicy(
                    "CanAccessGroup",
                    policyBuilder => policyBuilder.RequireClaim("groups", "8e39f882-3453-4aeb-9efa-f6ac6ad8e2e0"));
            });
        }

然后在控制器中:

 [Authorize(Policy = "CanAccessGroup")]
 public IActionResult Contact()
        {
            ViewData["Message"] = "Your contact page.";

            return View();
        }

如果組 id 不在用戶組聲明中，它會將用戶重定向到訪問拒絕頁面，您也可以編寫策略規則邏輯，如下所示 這里 .

If the group id is not in the user group claims, it will redirect user to access denied page , you could also write your policy rules logic as shown here .

這篇關于.net 核心 [授權] 將 ClaimsIdentity 與 AAD 組一起使用的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！