I ended up just writing a simple attribute to handle it. I couldn't find anything in the framework right out of the box without a bunch of extra config. Listed below.

我最终只是编写了一个简单的属性来处理它。如果没有一堆额外的配置，我在框架中找不到任何开箱即用的东西。下面列出。

public class ClaimsAuthorizeAttribute : AuthorizeAttribute
{
    private string claimType;
    private string claimValue;
    public ClaimsAuthorizeAttribute(string type, string value)
    {
        this.claimType = type;
        this.claimValue = value;
    }
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var user = filterContext.HttpContext.User as ClaimsPrincipal;
        if (user != null && user.HasClaim(claimType, claimValue))
        {
            base.OnAuthorization(filterContext);
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Of course, you could remove the type and value params if you were happy to use the controller-action-verb triplet for claims somehow.

当然，如果您乐于以某种方式使用控制器-动作-动词三元组进行声明，您可以删除类型和值参数。

1. You wouldn't check for claims specifically, but rather for action/resource pairs. Factor out the actual claims / data checks into an authorization manager. Separation of concerns.
2. MVC and ClaimsPrincipalPermission is not a good match. It throws a SecurityException and is not unit testing friendly.

1. 您不会专门检查声明，而是检查操作/资源对。将实际声明/数据检查分解到授权管理器中。关注点分离。
2. MVC 和 ClaimsPrincipalPermission 不是很好的匹配。它抛出一个 SecurityException 并且不是单元测试友好的。

My version is here: http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

我的版本在这里：http: //leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

I found that you can still use the Authorization attribute with roles and users, with claims.
For this to work, your ClaimsIdentity have to include 2 specific claim types:

我发现您仍然可以将 Authorization 属性用于角色和用户以及声明。
为此，您的 ClaimsIdentity 必须包含 2 种特定的声明类型：

    ClaimTypes.Name

and

和

    ClaimTypes.Role

Then in your class derived from OAuthAuthorizationServerProvider, in the GrantXX methods you use, when you create your ClaimsIdentity, add these 2 claims.

然后在从 OAuthAuthorizationServerProvider 派生的类中，在您使用的 GrantXX 方法中，当您创建 ClaimsIdentity 时，添加这 2 个声明。

Example:

例子：

    var oAuthIdentity = new ClaimsIdentity(new[]
    {
        new Claim(ClaimTypes.Name, context.ClientId),
        new Claim(ClaimTypes.Role, "Admin"),
    }, OAuthDefaults.AuthenticationType);

Then on any action you can use [Authorize(Roles ="Admin")]to restrict access.

然后在您可以[Authorize(Roles ="Admin")]用来限制访问的任何操作上。

In ASP.NET Core 3, you can configure security policies like this:

在 ASP.NET Core 3 中，您可以像这样配置安全策略：

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthorization(options =>
    {
        options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
    });
}

then use AuthorizeAttribute to require the user meet the requirements of a specific policy (in other words, meet the claim backing that policy).

然后使用 AuthorizeAttribute 要求用户满足特定策略的要求（换句话说，满足支持该策略的声明）。

[Authorize(Policy = "EmployeeOnly")]
public IActionResult VacationBalance()
{
    return View();
}

Source.

来源。

[ClaimsPrincipalPermission(SecurityAction.Demand, Operation="Delete", Resource="Customer")]
public ActionResult Delete(int id)
{
    _customer.Delete(id);
    return RedirectToAction("CustomerList");
}

ClaimsPrincipalPermissionAttribute Class

ClaimsPrincipalPermissionAttribute 类