Microsoft.Identity.Web：未触发OnTokenValidated事件

问题描述

我要执行的操作是在身份验证后添加声明。以下注册OnTokenValidation事件的示例无法解决问题。该事件永远不会触发。

我正在使用Microsoft.Identity.Web在Azure AD B2C上进行身份验证。那部分有效！如何使用AddMicrosoftIdentityWebAppAuthentication注册事件？

services.AddMicrosoftIdentityWebAppAuthentication(Configuration,"AzureAdB2C")
    .EnabletokenAcquisitionToCallDownstreamApi(new string[] {Configuration["DemoApi:ServiceScope"]})
    .AddInMemoryTokenCaches();

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme,options =>
{
    options.Events = new OpenIdConnectEvents
    {
        OnTokenValidated = ctx =>
        {
            //query groups with graph api to get the role

            // add claims
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.Role,"superadmin")
            };
            var appIdentity = new ClaimsIdentity(claims);
            ctx.Principal.AddIdentity(appIdentity);
            return Task.CompletedTask;
        },};
});

解决方法

使用MicrosoftIdentityOptions：

services.Configure<MicrosoftIdentityOptions>(options =>
{
   options.Events = new OpenIdConnectEvents
   {
      OnTokenValidated = async ctx =>
      { 
         //add claims
         var scopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

         var clientApp = ConfidentialClientApplicationBuilder
                .Create(Configuration["AzureAD:ClientId"])
                .WithTenantId(Configuration["AzureAD:TenantId"])
                .WithClientSecret(Configuration["AzureAD:ClientSecret"])
                .Build();
         var authResult = await clientApp
                .AcquireTokenOnBehalfOf(scopes,new UserAssertion(ctx.SecurityToken.RawData))
                .ExecuteAsync().ConfigureAwait(false);

         var graphClient = new GraphServiceClient(Configuration["DownstreamApi:BaseUrl"],new DelegateAuthenticationProvider(
                requestMessage =>
                {
                    requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer",authResult.AccessToken);
                    return Task.CompletedTask;
                }));
         var identity = new ClaimsIdentity();
            //https://graph.microsoft.com/1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true&$select=displayName
         var groups = await graphClient.Me.TransitiveMemberOf.Request().Select("displayName").GetAsync().ConfigureAwait(false);
         while (groups != null && groups.Count > 0)
         {
             foreach (var g in groups)
             {
                 if (!(g is Group groupItem)) continue;
                 identity.AddClaim(new Claim(ClaimTypes.Role,groupItem.DisplayName));
             }
             if (groups.NextPageRequest != null)
                 groups = await groups.NextPageRequest.GetAsync().ConfigureAwait(false);
             else
                 break;
         }
         ctx.Principal.AddIdentity(identity);
      }
   };
});
services.AddMicrosoftIdentityWebAppAuthentication(Configuration);

.net-core-3.1 azure-ad-b2c claims roles