ASP.NET 核心中的多重身份验证
Multiple Authentication in ASP.NET Core
我的项目的身份验证(Cookie)设置如下,
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.ClaimsIssuer = "xxx.admin";
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.LoginPath = "/Login/Index/";
options.AccessDeniedPath = "/Account/Unauthorized/";
options.Cookie.SameSite = SameSiteMode.Strict;
});
我在不同的项目中配置了第二个身份验证选项 (OpenIdConnect),如下所示,
services.AddRazorPages().AddMvcOptions(options =>
{
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureActiveDirectoryConnection", options);
options.Events ??= new OpenIdConnectEvents();
options.Events.OnTokenValidated += OnTokenValidated;
options.Events.OnTicketReceived += OnTicketReceived;
//options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProvider;
});
现在,我需要将它们结合起来以在我的应用程序中支持多种身份验证类型。我该怎么做?
第 1 步:
将兼容的 Microsoft.Identity.Web 和 Microsoft.Identity.Web.UI NuGet 包添加到您的项目。
第 2 步:
在 .AddCookie(options => ..) 方法后添加以下行。
.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureActiveDirectoryConnection"), "OpenIdConnect", "_Cookies", true);
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => {
options.Events ??= new OpenIdConnectEvents();
options.Events.OnTokenValidated += OnTokenValidated;
options.Events.OnTicketReceived += OnTicketReceived;
options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProvider;
});
// This is for Azure AD SignIn and SignOut buttons' functions
services.AddRazorPages().AddMvcOptions(options => { }).AddMicrosoftIdentityUI();
// We say "I have multiple authentication schemes" to the app here
services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
defaultAuthorizationPolicyBuilder = defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
简而言之,您在这里添加第二个身份验证选项并指定您需要的事件并绑定来自AppSettings文件的Azure AD clientId,tenantId等,例如:
"AzureActiveDirectoryConnection": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "YourDomainName.onmicrosoft.com",
"TenantId": "YourTenantId",
"ClientId": "YourClientId",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/signout-oidc"
}
我的项目的身份验证(Cookie)设置如下,
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.ClaimsIssuer = "xxx.admin";
options.Cookie.HttpOnly = true;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
options.LoginPath = "/Login/Index/";
options.AccessDeniedPath = "/Account/Unauthorized/";
options.Cookie.SameSite = SameSiteMode.Strict;
});
我在不同的项目中配置了第二个身份验证选项 (OpenIdConnect),如下所示,
services.AddRazorPages().AddMvcOptions(options =>
{
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(options =>
{
Configuration.Bind("AzureActiveDirectoryConnection", options);
options.Events ??= new OpenIdConnectEvents();
options.Events.OnTokenValidated += OnTokenValidated;
options.Events.OnTicketReceived += OnTicketReceived;
//options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProvider;
});
现在,我需要将它们结合起来以在我的应用程序中支持多种身份验证类型。我该怎么做?
第 1 步:
将兼容的 Microsoft.Identity.Web 和 Microsoft.Identity.Web.UI NuGet 包添加到您的项目。
第 2 步:
在 .AddCookie(options => ..) 方法后添加以下行。
.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureActiveDirectoryConnection"), "OpenIdConnect", "_Cookies", true);
services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options => {
options.Events ??= new OpenIdConnectEvents();
options.Events.OnTokenValidated += OnTokenValidated;
options.Events.OnTicketReceived += OnTicketReceived;
options.Events.OnRedirectToIdentityProvider += OnRedirectToIdentityProvider;
});
// This is for Azure AD SignIn and SignOut buttons' functions
services.AddRazorPages().AddMvcOptions(options => { }).AddMicrosoftIdentityUI();
// We say "I have multiple authentication schemes" to the app here
services.AddAuthorization(options =>
{
var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
defaultAuthorizationPolicyBuilder = defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
简而言之,您在这里添加第二个身份验证选项并指定您需要的事件并绑定来自AppSettings文件的Azure AD clientId,tenantId等,例如:
"AzureActiveDirectoryConnection": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "YourDomainName.onmicrosoft.com",
"TenantId": "YourTenantId",
"ClientId": "YourClientId",
"CallbackPath": "/signin-oidc",
"SignedOutCallbackPath ": "/signout-oidc"
}