IDW10201: Neither scope or roles claim was found in the bearer token
I have a ASP.NET Core 3.1 project like this sample: Sign-in a user with the Microsoft Identity Platform in a WPF Desktop application and call an ASP.NET Core Web API.
I\'
-
The video "Implementing Authorization in your Applications with Microsoft identity platform - june 2020" outlines that the missing piece is this flag
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;which need to be set instartup.cs- e.g:public void ConfigureServices(IServiceCollection services) { services.AddMicrosoftIdentityWebApiAuthentication(Configuration); // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications. //'http://schemas.microsodt.com/ws/2008/06/identity/clains/role' instead of 'roles' // This flag ensures that the ClaimsIdentity claims collection will be build from the claims in the token JwtSecurityTokenHandler.DefaultMapInboundClaims = false; // Notice that this part is different in the video, // however in this context the following seems to be // the correct way of setting the RoleClaimType: services.Configure(JwtBearerDefaults.AuthenticationScheme, options => { // The claim in the Jwt token where App roles are available. options.TokenValidationParameters.RoleClaimType = "roles"; }); [... more code ...] } Alternative 1
It is also possible to set authorization for the whole app like this in
startup.cs:services.AddControllers(options => { var policy = new AuthorizationPolicyBuilder() .RequireClaim("roles", "access_as_application") .Build(); options.Filters.Add(new AuthorizeFilter(policy)); });Alternative 2
It is also possible to use a policy like this:
services.AddAuthorization(config => { config.AddPolicy("Role", policy => policy.RequireClaim("roles", "access_as_application")); });Now this policy can be used on a controller request like this:
[HttpGet] [Authorize(Policy = "Role")] public async TaskGet() { return "Hello world!"; } More in the documentation: Policy based role checks.
加载中...
- 热议问题