1. 首页
  2. 问答
  3. 承载与授权禁止过滤器在IdentityServer4

承载与授权禁止过滤器在IdentityServer4

2016-08-20 26 views
2

虽然与AspNetAuthorization教程测试IdentityServer4我添加了一个简单的[Authorize(Roles = "Administrator")]从那以后,我得到这个错误:承载与授权禁止过滤器在IdentityServer4

AuthenticationScheme: Bearer was forbidden.

我的用户有这种说法: new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String)

ConfigureServices方法:

services.AddAuthorization(options => 
     { 
      options.AddPolicy("AdministratorOnly", policy => policy.RequireRole("Administrator")); 
     }); 

     services.AddMvc(config => 
     { 
      var policy = new AuthorizationPolicyBuilder() 
         .RequireAuthenticatedUser() 
         .Build(); 

      config.Filters.Add(new AuthorizeFilter(policy)); 
     });

Configure方法:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions() 
     { 
      Authority = "http://localhost:5000", 
      ScopeName = "openid", 
      AutomaticAuthenticate = true, 
      AutomaticChallenge = true, 
      RequireHttpsMetadata = false, 
     });

调试输出:

Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Debug: Executing action LearningEntityServer4.OAuth.ValuesController.Get (LearningEntityServer4.OAuth) 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful for user: myuser. 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed for user: myuser. 
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. 
Microsoft.AspNetCore.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes(). 
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware: Information: AuthenticationScheme: Bearer was forbidden.

我错过了在配置?

PS:我已经检查过this SO帖子没有成功。

来源

2016-08-20 Mohsen Afshin

回答

4

我终于找到了写上去的角色检查,在权利要求书中的世界是如何工作的内部时间:

https://leastprivilege.com/2016/08/21/why-does-my-authorize-attribute-not-work/

总之 - 确保你使用的角色的声明类型匹配您的ClaimsIdentity上的RoleClaimType。或者在您的政策中将RequireRole替换为RequireClaim,并使用正确的类型。

来源

2016-08-21 09:59:03 leastprivilege

+0

我很感谢你的回答。人们无法使用写得好的IdS和特别是IdS4的原因之一是缺乏广泛的例子和文件来解决他们的问题。我被这个问题困住了好几天。感谢您的广泛解释。 –

0

根据附加的资源,看起来您应该将策略名称放在authorize属性中,如[Authorize("AdministratorOnly")]

https://damienbod.com/2016/02/14/authorization-policies-and-data-protection-with-identityserver4-in-asp-net-core/

来源

2016-08-20 07:49:45 hburton

+0

我已经通过'[Authorize(Policy =“AdministratorOnly”)]'应用了,它不起作用。 –

+0

@MohsenAfshin我注意到您在新索赔(ClaimTypes.Role,“Administrator”,ClaimValueTypes.String,Issuer)''上面定义的索赔中没有发行人。也许这是你的问题?基于示例https://github.com/blowdart/AspNetAuthorizationWorkshop#step-4-simple-policies – hburton

+0

中发出的索赔尝试过,并设置发行人,似乎有配置问题,我无法找到它。 –

0

其实,我在阅读@leastprivilege之前解决了我的问题的详细答案。

的问题是与索赔类型的命名,

我改变了以下内容:

​​

这样:

new Claim(JwtClaimTypes.Role, "Administrator");

和授权工作。这是因为它们之间的底层字符串值不同,我的配置是期待的“角色”之一:

ClaimTypes.Role => "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" 
JwtClaimTypes.Role => "role"

或可以基于他的答案做到这一点:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions() 
    { 
     Authority = "http://localhost:5000", 
     ScopeName = "scope", 
     ScopeSecret = "secret", 
     AutomaticAuthenticate = true, 
     AutomaticChallenge = true, 
     RequireHttpsMetadata = false, 

     RoleClaimType = "role" 

    });

它后面的详细原因,请阅读@leastprivilege回答

来源

2016-08-22 08:24:57

相关问题

 相关问题