c# – 使用Authentication.AzureAD.UI库时实现OpenIdConnectOpti
我一直在使用我从样本创建的库,允许我使用Azure Active Directory验证.NET核心Web应用程序,并利用各种OpenIdConnectOptions事件(例如OnTokenValidated)向主体添加某些声明以及添加该数据到类似身份的数据库,以便API可以根据其令牌对调用者进行基于策略的确定.
但我宁愿使用Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet包而不是我的自定义变体,我只是不确定如何进入并访问OpenIdConnectOptions上的事件. 我不知道它是不是可以做的事情,或者我只是没有足够的依赖注入处理来弄清楚如何做到这一点. 或者我应该考虑在流程的不同部分添加索赔等? public static AuthenticationBuilder AddAzureAD( this AuthenticationBuilder builder,string scheme,string openIdConnectScheme,string cookieScheme,string displayName,Action<AzureADOptions> configureOptions) { AddAdditionalMvcApplicationParts(builder.Services); builder.AddPolicyScheme(scheme,displayName,o => { o.ForwardDefault = cookieScheme; o.ForwardChallenge = openIdConnectScheme; }); builder.Services.Configure( TryAddOpenIDCookieSchemeMappings(scheme,openIdConnectScheme,cookieScheme)); builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>,AzureADOptionsConfiguration>(); // They put in their custom OpenIdConnect configuration,but I can't see how to get at the events. builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>,OpenIdConnectOptionsConfiguration>(); builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>,CookieOptionsConfiguration>(); builder.Services.Configure(scheme,configureOptions); builder.AddOpenIdConnect(openIdConnectScheme,null,o => { }); builder.AddCookie(cookieScheme,o => { }); return builder; } 解决方法
我在这里可能会迟到一点,但我遇到了同样的问题,发现AzureAD身份验证中间件的记录很少.在这里添加解决方案,为其他人在同一个问题上挣扎.
正如您在问题的代码片段底部所看到的,AzureAD提供程序实际上依赖于OpenIdConnect和Cookie auth提供程序,并且本身不实现任何身份验证逻辑. 为此,添加了两个额外的身份验证方案,分别使用定义为AzureADDefaults.OpenIdScheme和AzureADDefaults.CookieScheme的名称. (虽然使用AddAzureAD时也可以自定义名称(此Microsoft.AspNetCore.Authentication.AuthenticationBuilder构建器,字符串方案,字符串openIdConnectScheme,字符串cookieScheme,字符串displayName,操作< Microsoft.AspNetCore.Authentication.AzureAD.UI.AzureADOptions> configureOptions )超载). 反过来,它允许使用上面的方案名称配置有效的OpenIdConnectOptions和CookieAuthenticationOptions,包括访问OpenIdConnectEvents. 看到这个完整的例子: services.AddAuthentication(AzureADDefaults.AuthenticationScheme) .AddAzureAD(options => Configuration.Bind("AzureAd",options)); services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme,options => { options.Events = new OpenIdConnectEvents { OnRedirectToIdentityProvider = async ctxt => { // Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State // that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize // parameters sent to the identity provider. await Task.Yield(); },OnMessageReceived = async ctxt => { // Invoked when a protocol message is first received. await Task.Yield(); },OnTicketReceived = async ctxt => { // Invoked after the remote ticket has been received. // Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in. // This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured // with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into // roles,to be persisted in the cookie. if (ctxt.Principal.Identity is ClaimsIdentity identity) { ctxt.Principal.FindAll(x => x.Type == "groups") .ToList() .ForEach(identity.RemoveClaim); } await Task.Yield(); },}; }); services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme,options => { options.Events = new CookieAuthenticationEvents { // ... }; }); (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |