我想对我的 Web API 使用 JWT 身份验证,对 Razor 页面使用 cookie 身份验证。
我对 Controller 使用策略授权。在我的 Startup.cs 中使用此配置,一切都适用于我的 Razor 页面:
services.AddIdentity<User, Role>(opt =>{
opt.Password.RequireDigit = false;
opt.Password.RequiredLength = 4;
opt.Password.RequireNonAlphanumeric = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireLowercase = false;
})
.AddEntityFrameworkStores<DataContext>()
.AddRoleValidator<RoleValidator<Role>>()
.AddRoleManager<RoleManager<Role>>()
.AddSignInManager<SignInManager<User>>();
但是我的 Controller 端点不工作,当我使用下面的那个时它工作:
IdentityBuilder builder = services.AddIdentityCore<User>(opt =>
{
opt.Password.RequireDigit = false;
opt.Password.RequiredLength = 4;
opt.Password.RequireNonAlphanumeric = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireLowercase = false;
});
但是角色没有添加到用户声明中,因此我的 Razor 页面的授权策略属性总是返回 Access Denied。
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<DataContext>(opt => opt.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.ConfigureApplicationCookie(options =>
{
// Cookie settings
options.Cookie.HttpOnly = true;
options.ExpireTimeSpan = TimeSpan.FromDays(1);
options.LoginPath = "/Account/Login";
options.AccessDeniedPath = "/Account/AccessDenied";
options.SlidingExpiration = true;
options.Cookie.Name = Configuration.GetSection("AppSettings:AuthCookieName").Value;
});
// services.AddIdentity<User, Role>(opt =>{
// opt.Password.RequireDigit = false;
// opt.Password.RequiredLength = 4;
// opt.Password.RequireNonAlphanumeric = false;
// opt.Password.RequireUppercase = false;
// opt.Password.RequireLowercase = false;
// });
IdentityBuilder builder = services.AddIdentityCore<User>(opt =>
{
opt.Password.RequireDigit = false;
opt.Password.RequiredLength = 4;
opt.Password.RequireNonAlphanumeric = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireLowercase = false;
});
builder = new IdentityBuilder(builder.UserType, typeof(Role), builder.Services);
builder.AddEntityFrameworkStores<DataContext>();
builder.AddRoleValidator<RoleValidator<Role>>();
builder.AddRoleManager<RoleManager<Role>>();
builder.AddSignInManager<SignInManager<User>>();
services.AddAuthorization(options =>{
options.AddPolicy("CorrectUserIdRequested", policy=>{
policy.AddRequirements(new CorrectUserIdRequestedRequirement());
});
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("admin"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("admin","user"));
});
services.AddMvc(options => {
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).
SetCompatibilityVersion(CompatibilityVersion.Version_2_2)
.AddJsonOptions(opt =>
{
opt.SerializerSettings.ReferenceLoopHandling =
Newtonsoft.Json.ReferenceLoopHandling.Ignore;
});
// Authentication Scheme
services.AddAuthentication(IdentityConstants.ApplicationScheme)
.AddCookie(IdentityConstants.ApplicationScheme, options =>
{
//if url start with "/api" use jwt instead
options.ForwardDefaultSelector = httpContext => httpContext.Request.Path.StartsWithSegments("/api") ? JwtBearerDefaults.AuthenticationScheme : null;
})
.AddJwtBearer(o =>
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII
.GetBytes(Configuration.GetSection("AppSettings:Token").Value)),
ValidateIssuer = false,
ValidateAudience = false
};
});
Mapper.Reset();
services.AddCors();
services.AddAutoMapper(typeof(Startup));
//Injections
services.AddTransient<Seed>();
services.AddScoped<AuthService, AuthServicePasswordless>();
services.AddScoped<IUserRepository, UserRepository>();
services.AddScoped<INotificationService, SmsNotifyService>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, Seed seeder)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler(builder => {
builder.Run(async context => {
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
var error = context.Features.Get<IExceptionHandlerFeature>();
if(error != null){
context.Response.AddApplicationError(error.Error.Message);
await context.Response.WriteAsync(error.Error.Message);
}
});
}); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
// app.UseHsts();
}
// app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
seeder.SeedUsers();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: null,
template: "{area:exists}/{controller=Dashboard}/{action=Index}/{id?}");
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
//Controller
[Authorize(Policy = "RequireAdminRole")]
[Area("Admin")]
public class DashboardController : Controller
{
public IActionResult Index(){
return View();
}
}
最佳答案
请注意,您创建了一个全新的IdentityBuilder 然后配置新创建的 IdentityBuilder 而不是 services.AddIdentityCore<>() 返回的那个:
IdentityBuilder builder = services.AddIdentityCore<User>(opt =>
{
opt.Password.RequireDigit = false;
opt.Password.RequiredLength = 4;
opt.Password.RequireNonAlphanumeric = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireLowercase = false;
});
builder = new IdentityBuilder(builder.UserType, typeof(Role), builder.Services);
... configure the builder
如何修复:
要解决这个问题,您需要在服务容器中配置相同的构建器:
builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
最后,不要忘记先注销然后重新登录,让用户获得角色。
附带说明一下,您不需要添加编写那么多代码来配置身份验证。更好的方法是调用 AddDefaultIdentity<User>()而不是 AddIdentityCore()简化您的代码:
IdentityBuilder builder = services.AddDefaultIdentity<User>(opt =>
{
...
})
.AddRoles<Role>()
.AddDefaultTokenProviders()
.AddEntityFrameworkStores<DataContext>()
;
builder = new IdentityBuilder(builder.UserType, typeof(Role), builder.Services);
builder.AddEntityFrameworkStores<DataContext>();
builder.AddRoleValidator<RoleValidator<Role>>();
builder.AddRoleManager<RoleManager<Role>>();
builder.AddSignInManager<SignInManager<User>>();
....
services.Configure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme,opt=>{
//if url start with "/api" use jwt instead
opt.ForwardDefaultSelector = httpContext => httpContext.Request.Path.StartsWithSegments("/api") ? JwtBearerDefaults.AuthenticationScheme : null;
});
services.AddAuthentication(IdentityConstants.ApplicationScheme)
.AddCookie(IdentityConstants.ApplicationScheme, options =>
{
//if url start with "/api" use jwt instead
options.ForwardDefaultSelector = httpContext => httpContext.Request.Path.StartsWithSegments("/api") ? JwtBearerDefaults.AuthenticationScheme : null;
})
.AddJwtBearer(o =>
{
...
});
演示:
关于c# - 身份角色未添加到用户,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58074234/