1. 首頁
  2. 問答
  3. 承載與授權禁止過濾器在IdentityServer4

承載與授權禁止過濾器在IdentityServer4

2016-08-20 64 views
2

雖然與AspNetAuthorization教程測試IdentityServer4我添加了一個簡單的[Authorize(Roles = "Administrator")]從那以後,我得到這個錯誤:承載與授權禁止過濾器在IdentityServer4

AuthenticationScheme: Bearer was forbidden.

我的用戶有這種說法: new Claim(ClaimTypes.Role, "Administrator", ClaimValueTypes.String)

ConfigureServices方法:

services.AddAuthorization(options => 
     { 
      options.AddPolicy("AdministratorOnly", policy => policy.RequireRole("Administrator")); 
     }); 

     services.AddMvc(config => 
     { 
      var policy = new AuthorizationPolicyBuilder() 
         .RequireAuthenticatedUser() 
         .Build(); 

      config.Filters.Add(new AuthorizeFilter(policy)); 
     });

Configure方法:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions() 
     { 
      Authority = "http://localhost:5000", 
      ScopeName = "openid", 
      AutomaticAuthenticate = true, 
      AutomaticChallenge = true, 
      RequireHttpsMetadata = false, 
     });

調試輸出:

Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Debug: Executing action LearningEntityServer4.OAuth.ValuesController.Get (LearningEntityServer4.OAuth) 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization was successful for user: myuser. 
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed for user: myuser. 
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker: Warning: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. 
Microsoft.AspNetCore.Mvc.ChallengeResult: Information: Executing ChallengeResult with authentication schemes(). 
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware: Information: AuthenticationScheme: Bearer was forbidden.

我錯過了在配置?

PS:我已經檢查過this SO帖子沒有成功。

來源

2016-08-20 Mohsen Afshin

回答

4

我終於找到了寫上去的角色檢查,在權利要求書中的世界是如何工作的內部時間:

https://leastprivilege.com/2016/08/21/why-does-my-authorize-attribute-not-work/

總之 - 確保你使用的角色的聲明類型匹配您的ClaimsIdentity上的RoleClaimType。或者在您的政策中將RequireRole替換爲RequireClaim,並使用正確的類型。

來源

2016-08-21 09:59:03 leastprivilege

+0

我很感謝你的回答。人們無法使用寫得好的IdS和特別是IdS4的原因之一是缺乏廣泛的例子和文件來解決他們的問題。我被這個問題困住了好幾天。感謝您的廣泛解釋。 –

0

根據附加的資源,看起來您應該將策略名稱放在authorize屬性中,如[Authorize("AdministratorOnly")]

https://damienbod.com/2016/02/14/authorization-policies-and-data-protection-with-identityserver4-in-asp-net-core/

來源

2016-08-20 07:49:45 hburton

+0

我已經通過'[Authorize(Policy =「AdministratorOnly」)]'應用了,它不起作用。 –

+0

@MohsenAfshin我注意到您在新索賠(ClaimTypes.Role,「Administrator」,ClaimValueTypes.String,Issuer)''上面定義的索賠中沒有發行人。也許這是你的問題?基於示例https://github.com/blowdart/AspNetAuthorizationWorkshop#step-4-simple-policies – hburton

+0

中發出的索賠嘗試過,並設置發行人,似乎有配置問題,我無法找到它。 –

0

其實,我在閱讀@leastprivilege之前解決了我的問題的詳細答案。

的問題是與索賠類型的命名,

我改變了以下內容:

​​

這樣:

new Claim(JwtClaimTypes.Role, "Administrator");

和授權工作。這是因爲它們之間的底層字符串值不同,我的配置是期待的「角色」之一:

ClaimTypes.Role => "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" 
JwtClaimTypes.Role => "role"

或可以基於他的答案做到這一點:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions() 
    { 
     Authority = "http://localhost:5000", 
     ScopeName = "scope", 
     ScopeSecret = "secret", 
     AutomaticAuthenticate = true, 
     AutomaticChallenge = true, 
     RequireHttpsMetadata = false, 

     RoleClaimType = "role" 

    });

它後面的詳細原因,請閱讀@leastprivilege回答

來源

2016-08-22 08:24:57

相關問題

 相關問題