c# – 使用Authentication.AzureAD.UI库时实现OpenIdConnectOpti
发布时间:2020-12-15 22:52:18 所属栏目:百科 来源:网络整理
导读:我一直在使用我从样本创建的库,允许我使用Azure Active Directory验证.NET核心Web应用程序,并利用各种OpenIdConnectOptions事件(例如OnTokenValidated)向主体添加某些声明以及添加该数据到类似身份的数据库,以便API可以根据其令牌对调用者进行基于策略的确定
|
我一直在使用我从样本创建的库,允许我使用Azure Active Directory验证.NET核心Web应用程序,并利用各种OpenIdConnectOptions事件(例如OnTokenValidated)向主体添加某些声明以及添加该数据到类似身份的数据库,以便API可以根据其令牌对调用者进行基于策略的确定.
但我宁愿使用Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet包而不是我的自定义变体,我只是不确定如何进入并访问OpenIdConnectOptions上的事件. 我不知道它是不是可以做的事情,或者我只是没有足够的依赖注入处理来弄清楚如何做到这一点. 或者我应该考虑在流程的不同部分添加索赔等? public static AuthenticationBuilder AddAzureAD(
this AuthenticationBuilder builder,string scheme,string openIdConnectScheme,string cookieScheme,string displayName,Action<AzureADOptions> configureOptions) {
AddAdditionalMvcApplicationParts(builder.Services);
builder.AddPolicyScheme(scheme,displayName,o => {
o.ForwardDefault = cookieScheme;
o.ForwardChallenge = openIdConnectScheme;
});
builder.Services.Configure(
TryAddOpenIDCookieSchemeMappings(scheme,openIdConnectScheme,cookieScheme));
builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>,AzureADOptionsConfiguration>();
// They put in their custom OpenIdConnect configuration,but I can't see how to get at the events.
builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>,OpenIdConnectOptionsConfiguration>();
builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>,CookieOptionsConfiguration>();
builder.Services.Configure(scheme,configureOptions);
builder.AddOpenIdConnect(openIdConnectScheme,null,o => { });
builder.AddCookie(cookieScheme,o => { });
return builder;
}
解决方法
我在这里可能会迟到一点,但我遇到了同样的问题,发现AzureAD身份验证中间件的记录很少.在这里添加解决方案,为其他人在同一个问题上挣扎.
正如您在问题的代码片段底部所看到的,AzureAD提供程序实际上依赖于OpenIdConnect和Cookie auth提供程序,并且本身不实现任何身份验证逻辑. 为此,添加了两个额外的身份验证方案,分别使用定义为AzureADDefaults.OpenIdScheme和AzureADDefaults.CookieScheme的名称. (虽然使用AddAzureAD时也可以自定义名称(此Microsoft.AspNetCore.Authentication.AuthenticationBuilder构建器,字符串方案,字符串openIdConnectScheme,字符串cookieScheme,字符串displayName,操作< Microsoft.AspNetCore.Authentication.AzureAD.UI.AzureADOptions> configureOptions )超载). 反过来,它允许使用上面的方案名称配置有效的OpenIdConnectOptions和CookieAuthenticationOptions,包括访问OpenIdConnectEvents. 看到这个完整的例子: services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd",options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme,options =>
{
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = async ctxt =>
{
// Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State
// that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize
// parameters sent to the identity provider.
await Task.Yield();
},OnMessageReceived = async ctxt =>
{
// Invoked when a protocol message is first received.
await Task.Yield();
},OnTicketReceived = async ctxt =>
{
// Invoked after the remote ticket has been received.
// Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in.
// This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured
// with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into
// roles,to be persisted in the cookie.
if (ctxt.Principal.Identity is ClaimsIdentity identity)
{
ctxt.Principal.FindAll(x => x.Type == "groups")
.ToList()
.ForEach(identity.RemoveClaim);
}
await Task.Yield();
},};
});
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme,options =>
{
options.Events = new CookieAuthenticationEvents
{
// ...
};
});
(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |