我正在尝试根据此文档https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/azure-active-directory-groups-and-roles?view=aspnetcore-3.1#user-defined-roles根据用户定义的角色设置AAD授权，我可以在应用清单中对其进行设置，并使API授权正常工作。但是，当我尝试在UI端执行此操作时，我无法获得声明。我做了json解释类（DirectoryObjects，CustomUserAccount和Value（由目录对象使用））。我还添加了CustomUserFactory来删除组内容，因为我只关心角色：

        private readonly ILogger<CustomUserFactory> _logger;
        private readonly IHttpClientFactory _clientFactory;

        public CustomUserFactory(IAccessTokenProviderAccessor accessor,IHttpClientFactory clientFactory,ILogger<CustomUserFactory> logger)
            : base(accessor)
        {
            _clientFactory = clientFactory;
            _logger = logger;
        }

        public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
            CustomUserAccount account,RemoteAuthenticationUserOptions options)
        {
            var initialUser = await base.CreateUserAsync(account,options);

            if (initialUser.Identity.IsAuthenticated)
            {
                var userIdentity = (ClaimsIdentity)initialUser.Identity;

                foreach (var role in account.Roles)
                {
                    userIdentity.AddClaim(new Claim("role",role));
                }

                
            }

            return initialUser;
        }

然后我将program.cs修改为提到的文档：

    builder.Services.AddMsalAuthentication<RemoteAuthenticationState,CustomUserAccount>(options =>
    {
        builder.Configuration.Bind("AzureAd",options.ProviderOptions.Authentication);
        options.ProviderOptions.DefaultAccessTokenScopes.Add("apiaccessguid");
        options.UserOptions.RoleClaim = "role";
    }).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState,CustomUserAccount,CustomUserFactory>();

当这种方法不起作用时，我也尝试将其添加为一项没有运气的政策：

 builder.Services.AddAuthorizationCore(options =>
    {
        options.AddPolicy("Admin",policy =>
            policy.RequireClaim("role","admin"));
    });

用于限制我在user.IsInRole("admin")的代码中和在UI的

<AuthorizeView Roles="admin">
    <li class="nav-item px-3">
        <NavLink class="nav-link" href="Admin">
            Admin
        </NavLink>
    </li>
</AuthorizeView>

并附有政策：

<AuthorizeView Policy="Admin">
    <Authorized>
        <p>
            The user is in the 'Administrator' AAD Administrative Role
            and can see this content.
        </p>
    </Authorized>
    <NotAuthorized>
        <p>
            The user is NOT in the 'Administrator' role and sees this
            content.
        </p>
    </NotAuthorized>
</AuthorizeView>

，但没有一个起作用。我有什么想念的吗？我还验证了令牌具有管理员角色。

解决方法

"appRoles": [
    {
        "allowedMemberTypes": [
            "User"
        ],"description": "Reader role.","displayName": "Reader","id": "41d9ba42-456e-4471-8946-24216e5f6c64","isEnabled": true,"lang": null,"origin": "Application","value": "Reader"
    }
]

builder.Services.AddAuthorizationCore(options =>
{
    options.AddPolicy("app-reader",policy => policy.RequireRole("Reader"));
});

<AuthorizeView Policy="app-reader">
    <Authorized>
        <p>
            The user is in the 'Reader' Role
            and can see this content.
        </p>
    </Authorized>
    <NotAuthorized>
        <p>
            The user is NOT in the 'Reader' role 
            and sees this content.
        </p>
    </NotAuthorized>
</AuthorizeView>

@attribute [Authorize(Policy = "app-reader")]