【问题标题】:Microsoft.Identity.Web: OnTokenValidated event not triggeredMicrosoft.Identity.Web:未触发 OnTokenValidated 事件
【发布时间】:2021-02-05 09:00:51
【问题描述】:

我要做的是在身份验证后添加声明。 以下注册OnTokenValidation 事件的示例无法解决问题。该事件永远不会触发。

我正在使用 Microsoft.Identity.Web 在 Azure AD B2C 上进行身份验证。那部分有效! 如何使用AddMicrosoftIdentityWebAppAuthentication 注册事件?

services.AddMicrosoftIdentityWebAppAuthentication(Configuration, "AzureAdB2C")
    .EnableTokenAcquisitionToCallDownstreamApi(new string[] {Configuration["DemoApi:ServiceScope"]})
    .AddInMemoryTokenCaches();

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
    options.Events = new OpenIdConnectEvents
    {
        OnTokenValidated = ctx =>
        {
            //query groups with graph api to get the role

            // add claims
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.Role, "superadmin")
            };
            var appIdentity = new ClaimsIdentity(claims);
            ctx.Principal.AddIdentity(appIdentity);
            return Task.CompletedTask;
        },
    };
});

【问题讨论】:

    标签: .net azure-ad-b2c roles .net-core-3.1 claims


    【解决方案1】:

    使用 MicrosoftIdentityOptions:

    services.Configure<MicrosoftIdentityOptions>(options =>
    {
       options.Events = new OpenIdConnectEvents
       {
          OnTokenValidated = async ctx =>
          { 
             //add claims
             var scopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
    
             var clientApp = ConfidentialClientApplicationBuilder
                    .Create(Configuration["AzureAD:ClientId"])
                    .WithTenantId(Configuration["AzureAD:TenantId"])
                    .WithClientSecret(Configuration["AzureAD:ClientSecret"])
                    .Build();
             var authResult = await clientApp
                    .AcquireTokenOnBehalfOf(scopes, new UserAssertion(ctx.SecurityToken.RawData))
                    .ExecuteAsync().ConfigureAwait(false);
    
             var graphClient = new GraphServiceClient(Configuration["DownstreamApi:BaseUrl"], new DelegateAuthenticationProvider(
                    requestMessage =>
                    {
                        requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authResult.AccessToken);
                        return Task.CompletedTask;
                    }));
             var identity = new ClaimsIdentity();
                //https://graph.microsoft.com/1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true&$select=displayName
             var groups = await graphClient.Me.TransitiveMemberOf.Request().Select("displayName").GetAsync().ConfigureAwait(false);
             while (groups != null && groups.Count > 0)
             {
                 foreach (var g in groups)
                 {
                     if (!(g is Group groupItem)) continue;
                     identity.AddClaim(new Claim(ClaimTypes.Role, groupItem.DisplayName));
                 }
                 if (groups.NextPageRequest != null)
                     groups = await groups.NextPageRequest.GetAsync().ConfigureAwait(false);
                 else
                     break;
             }
             ctx.Principal.AddIdentity(identity);
          }
       };
    });
    services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
    

    【讨论】:

      猜你喜欢
      • 2022-01-07
      • 1970-01-01
      • 2010-11-08
      • 2019-01-31
      • 2013-04-09
      • 2015-07-25
      • 2017-06-25
      • 2012-02-21
      • 2018-09-13
      相关资源
      最近更新 更多