I have a .net core 2.0 service in which I'm trying to implement authorization by reading groups from AAD
What was done:
- in the Azure portal, in the app registration, modified the manifest - added "groupMembershipClaims": "SecurityGroup"
- In the app registration -> API permissions -> Gave permission
Permissions
In the code:
public static class AuthorizationPolicy
{
public static string Name => "GroupName";
public static void Build(AuthorizationPolicyBuilder builder) =>
builder.RequireClaim("GroupName", "06edc7ed-b0da-425f-b4a3-f501904e6c6f");
}
services.AddAuthorization(options =>
{
options.AddPolicy("GroupName", policy => policy.AddRequirements(new IsMemberOfGroupRequirement("GroupName", "06edc7ed-b0da-425f-b4a3-f501904e6c6f")));
});
Added AuthorizationHandler class
public class IsMemberOfGroupHandler : AuthorizationHandler<IsMemberOfGroupRequirement>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context, IsMemberOfGroupRequirement requirement)
{
var groupClaim = context.User.Claims
.FirstOrDefault(claim => claim.Type == "groups" &&
claim.Value.Equals(requirement.GroupId, StringComparison.InvariantCultureIgnoreCase));
if (groupClaim != null)
context.Succeed(requirement);
return Task.CompletedTask;
}
}
But the groups don't exist in the user's Claims
Please assist, what I'm missing
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…