admin管理员组文章数量:1410674
I run the sample here:
I have do all the requirement from this article ;pivots=no-api
I receceive a http 403 on the call of the API
When I activate the full trace in the settings
"Logging": {
"LogLevel": {
"Default": "Trace",
"Microsoft.AspNetCore": "Trace"
}
}
I see that log
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Forecast.Read)`
But my token have this information
When I check my token on jwt,io, i have the claim "scp" to "Forecast.Read"
What can cause this problem ?
If I remove the .RequireAuthorization, its works... naturally
app.MapGet("/weatherforecast", () =>
{
var forecast = Enumerable.Range(1, 5).Select(index =>
new WeatherForecast
(
DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
Random.Shared.Next(-20, 55),
summaries[Random.Shared.Next(summaries.Length)]
))
.ToArray();
return forecast;
})
.WithName("weatherForecast")
.RequireAuthorization("AuthZPolicy"); // Protect this endpoint with the AuthZPolicy`
I run the sample here: https://github/Azure-Samples/ms-identity-docs-code-dotnet/tree/main/web-api
I have do all the requirement from this article https://learn.microsoft/en-us/entra/identity-platform/howto-call-a-web-api-with-curl?tabs=dotnet6%2Cbash&pivots=no-api
I receceive a http 403 on the call of the API
When I activate the full trace in the settings
"Logging": {
"LogLevel": {
"Default": "Trace",
"Microsoft.AspNetCore": "Trace"
}
}
I see that log
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: RolesAuthorizationRequirement:User.IsInRole must be true for one of the following roles: (Forecast.Read)`
But my token have this information
When I check my token on jwt,io, i have the claim "scp" to "Forecast.Read"
What can cause this problem ?
If I remove the .RequireAuthorization, its works... naturally
app.MapGet("/weatherforecast", () =>
{
var forecast = Enumerable.Range(1, 5).Select(index =>
new WeatherForecast
(
DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
Random.Shared.Next(-20, 55),
summaries[Random.Shared.Next(summaries.Length)]
))
.ToArray();
return forecast;
})
.WithName("weatherForecast")
.RequireAuthorization("AuthZPolicy"); // Protect this endpoint with the AuthZPolicy`
1 Answer
Reset to default 0I think that I have found the solution.
The GitHut example is for a daemon scenario , not delegate one (behalf of the user)
This article clarify this: https://learn.microsoft/en-us/entra/identity-platform/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore
So if you do this
builder.Services.AddAuthorization(config =>
{
config.AddPolicy("AuthZPolicy", policy => policy.RequireRole("SomeRole"));
});
You must gain a OAuth Token in the context of an "application". You will have the "roles" claim in the token
If you gain a OAuth Token in the context on behalf of the user you can use Scope
app.MapGet("/weatherforecastv2", [Authorize()][RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")] () =>
{
var forecast = Enumerable.Range(1, 5).Select(index =>
new WeatherForecast
(
DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
Random.Shared.Next(-20, 55),
summaries[Random.Shared.Next(summaries.Length)]
))
.ToArray();
return forecast;
})
.WithName("weatherForecastv2");
The article explain the difference between "Scope" in witch context vs "Roles".
本文标签: msalAuthorization failed These requirements were not metStack Overflow
版权声明:本文标题:msal - Authorization failed. These requirements were not met - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744990915a2636379.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论