1. 首頁
  2. 問答
  3. IdentityServer4基於角色的授權

IdentityServer4基於角色的授權

2016-11-28 175 views
8

我正在嘗試使用IdentityServer4實現「基於角色的授權」,以便根據用戶角色授予我的API訪問權限。IdentityServer4基於角色的授權

例如,我希望爲用戶提供兩個角色,即FreeUser和PaidUser,並希望通過授權屬性使用[Authorize(Roles =「FreeUser」))]訪問API,請幫助我如何我可以做到這一點嗎?

我有以下解決方案結構:

  1. IdentityServer
  2. 的WebAPI
  3. JavaScript客戶端

我已經註冊了我的JavaScript客戶端如下:

new Client 
      { 
       ClientId = "js", 
       ClientName = "javascript client", 
       AllowedGrantTypes = GrantTypes.Implicit, 
       AllowAccessTokensViaBrowser= true, 
       RedirectUris = {"http://localhost:5004/callback.html"}, 
       PostLogoutRedirectUris = {"http://localhost:5004/index.html"}, 
       AllowedCorsOrigins = {"http://localhost:5004"}, 

       AllowedScopes = 
       { 
        StandardScopes.OpenId.Name, 
        StandardScopes.Profile.Name, 
        "api1", 
        "role", 
        StandardScopes.AllClaims.Name 
       } 
      }

個作用域

return new List<Scope> 
     { 
      StandardScopes.OpenId, 
      StandardScopes.Profile, 

      new Scope 
      { 
       Name = "api1", 
       Description = "My API" 
      }, 
      new Scope 
      { 
       Enabled = true, 
       Name = "role", 
       DisplayName = "Role(s)", 
       Description = "roles of user", 
       Type = ScopeType.Identity, 
       Claims = new List<ScopeClaim> 
       { 
        new ScopeClaim("role",false) 
       } 
      }, 
      StandardScopes.AllClaims 
     };

用戶

return new List<InMemoryUser> 
     { 
      new InMemoryUser 
      { 
       Subject = "1", 
       Username = "alice", 
       Password = "password", 

       Claims = new List<Claim> 
       { 
        new Claim("name", "Alice"), 
        new Claim("website", "https://alice.com"), 
        new Claim("role","FreeUser") 
       } 
      }, 
      new InMemoryUser 
      { 
       Subject = "2", 
       Username = "bob", 
       Password = "password", 

       Claims = new List<Claim> 
       { 
        new Claim("name", "Bob"), 
        new Claim("website", "https://bob.com"), 
        new Claim("role","PaidUser") 
       } 
      } 
     };

的WebAPI Startup.cs

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) 
    { 
     loggerFactory.AddConsole(Configuration.GetSection("Logging")); 
     loggerFactory.AddDebug(); 


     JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); 
     app.UseCors("default"); 
     app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions 
     { 
      Authority = "http://localhost:5000", 
      ScopeName = "api1", 
      // AdditionalScopes = new List<string> { "openid","profile", "role" }, 
      RequireHttpsMetadata = false 
     }); 

     app.UseMvc(); 
    }

網絡API控制器

namespace Api.Controllers 
{ 
[Route("[controller]")] 

public class IdentityController : ControllerBase 
{ 
    [HttpGet] 
    [Authorize(Roles = "PaidUser")] 
    public IActionResult Get() 
    { 
     return new JsonResult(from c in User.Claims select new { c.Type, c.Value }); 
    } 

    [Authorize(Roles = "FreeUser")] 
    [HttpGet] 
    [Route("getfree")] 
    public IActionResult GetFreeUser() 
    { 
     return new JsonResult(from c in User.Claims select new { c.Type, c.Value }); 
    } 
} 
}

JavaScript客戶端app.js 在這裏,我試圖登錄通過IdentityServer用戶,使API請求。

var mgr = new Oidc.UserManager(config); 
mgr.getUser().then(function (user) { 
if (user) { 
    log("User logged in", user.profile); 
} else { 
    log("User is not logged in."); 
} 
}); 

function login() { 
    mgr.signinRedirect(); 
} 

function api() { 
mgr.getUser().then(function (user) { 
    var url = "http://localhost:5001/identity/getfree"; 

    var xhr = new XMLHttpRequest(); 
    xhr.open("GET", url); 
    xhr.onload = function() { 
     log(xhr.status, JSON.parse(xhr.responseText)); 
    }; 

    xhr.setRequestHeader("Authorization", "Bearer " + user.access_token); 
    xhr.send(); 
    }); 
} 

function logout() { 
    mgr.signoutRedirect(); 
}

登錄流程正常,我可以成功登錄,並且我可以接收訪問令牌中的角色。

enter image description here

當我做對API的請求通過單擊按鈕(呼叫API)然後我收到以下錯誤.. enter image description here

來源

2016-11-28 muhammad waqas

回答

5

鑑於您沒有提供JavaScript客戶端的配置對象,我假設您的作用域配置如下。

scope:"openid profile api1 role"

我相信您的問題的主要原因是您的訪問令牌中沒有包含角色聲明。

將角色聲明添加到api1範圍,如下所示將其包含在訪問令牌中。

   new Scope 
       { 
        Name = "api1", 
        DisplayName = "API1 access", 
        Description = "My API", 
        Type = ScopeType.Resource, 
        IncludeAllClaimsForUser = true, 
        Claims = new List<ScopeClaim> 
        { 
         new ScopeClaim(ClaimTypes.Name), 
         new ScopeClaim(ClaimTypes.Role) 
        } 
       }

你可以在這裏閱讀我的答案以幫助調試問題。 implementing roles in identity server 4 with asp.net identity

完整的工作解決方案就在這裏。 https://github.com/weliwita/IdentityServer4.Samples/tree/40844310

來源

2016-11-30 00:27:23 rawel

+0

偉大..現在工作正常..我不能相信我是如何忘記將其添加到範圍..謝謝無論如何.. –

+0

@muhammadwaqas我認爲你應該接受答案 – Learner

2

變化new Claim("role","FreeUser")new Claim(ClaimTypes.Role, "FreeUser")

或者創建一個像這樣的政策:

services.AddAuthorization(options => 
{ 
    options.AddPolicy("FreeUser", policy => policy.RequireClaim("role", "FreeUser")); 
});

和我們電子郵件:

Authorize[(Policy = "FreeUser")]

來源

2016-11-28 13:01:30

+0

感謝您的回覆,我已經嘗試了兩種方法,但結果相同,如果在創建API請求時添加策略,則會向API發出兩個請求,第一個請求會顯示204 [無內容]狀態代碼,而第二個失敗與403 ..在索賠的情況下,結果是一樣的403 ..有我失蹤的東西?.. –

相關問題

 相關問題