在Blazor A Server应用程序中,为什么GetAuthenticationStateAsync()返回Chrome vs MS Edge的不同索赔?
我们使用Azure Active Directory进行对服务器端的Blazor App(.NET6.0)的身份验证。我试图授权用户对其中一个页面采取特定的操作。如果将用户添加到正确的Active Directory组,则应将其授权。
该授权在Google Chrome中运行良好,但不在边缘。两次都相同的用户帐户。
这是我正在做的事情的简化版本:
@page "/accounting"
@layout GeneralLayout
@inject AuthenticationStateProvider AuthStateProvider
@inject IAuthorizationService AuthService
<PageBody>
@if (IsVendorExpenseAccessEnabled) {
@* show vendor expense things *@
}
else
{
@* don't show vendor expense things *@
}
</PageBody>
@code {
private AuthorizationResult HasFullAccessResult { get; set; }
private bool IsVendorExpenseAccessEnabled =>
HasFullAccessResult != null && HasFullAccessResult.Succeeded;
protected override async Task OnInitializedAsync() {
var authState = await AuthStateProvider.GetAuthenticationStateAsync();
HasFullAccessResult = await AuthService.AuthorizeAsync(authState?.User, "MY POLICY THAT CHECKS GROUP CLAIMS");
}
}
当我在使用Chrome时调试此问题时,authstate.user.claims有14个组索赔。当我在使用边缘时调试时,authstate.user.claims有12个组索赔。这些主张之一是该用户需要的组以利用页面功能。
当用户在Edge中使用此页面时,为什么缺少索赔?
Edge中的更新
似乎是红鲱鱼。我在Chrome中登录了我的应用程序,然后重新登录了,现在Chrome中缺少这些说法。我认为这很可能与我们的Azure广告配置有关。我听到它今天在那里工作。
We use Azure Active Directory for authentication to a server-side Blazor app (.net6.0). I'm attempting to authorize users to do a specific action on one of the pages. A user should be authorized if they have been added to the correct Active Directory group.
The authorization works fine in Google Chrome, but not in Edge. Same user account both times.
Here's a simplified version of what I'm doing:
@page "/accounting"
@layout GeneralLayout
@inject AuthenticationStateProvider AuthStateProvider
@inject IAuthorizationService AuthService
<PageBody>
@if (IsVendorExpenseAccessEnabled) {
@* show vendor expense things *@
}
else
{
@* don't show vendor expense things *@
}
</PageBody>
@code {
private AuthorizationResult HasFullAccessResult { get; set; }
private bool IsVendorExpenseAccessEnabled =>
HasFullAccessResult != null && HasFullAccessResult.Succeeded;
protected override async Task OnInitializedAsync() {
var authState = await AuthStateProvider.GetAuthenticationStateAsync();
HasFullAccessResult = await AuthService.AuthorizeAsync(authState?.User, "MY POLICY THAT CHECKS GROUP CLAIMS");
}
}
When I debug this while using Chrome, authState.User.Claims has 14 group claims. When I debug while using Edge, authState.User.Claims has 12 group claims. One of those claims is the group this user needs in order to utilize page functionality.
Why are claims missing for a user when they use this page in Edge?
Update
Seems the issue in Edge may have been a red herring. I logged out my App in Chrome then logged back in, and now these claims are missing in Chrome, too. I'm thinking it most likely has something to do with our Azure AD configuration. I overheard IT was working in there today.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
事实证明,我们的IT部门完全同步了我们的本地广告和Azure广告。我不是100%确定的细节,但是某些内容导致了我授权反对的组的所有对象ID。一旦意识到这一点,我就可以更新代码以授权针对这些新ID。我的应用程序的页面现在正在工作。
It turns out that our IT department did a full sync of our On-Prem AD and Azure AD. I'm not 100% sure of the details, but something caused all of the Object IDs for the groups I was authorizing against to change. Once I realized this, I was able to update my code to authorize against these new IDs. My app's pages are now working.