如何让[Authorize]触发openId中间件

How to make [Authorize] trigger openId middleware

我正在试用 ASP.NET 5 的一些功能,但我在身份验证方面遇到了一些困难。我已经设法使用大部分 this 示例应用程序连接到我的 Azure AD 以登录,但我无法弄清楚如何将我的 Web 应用程序的某些部分限制为仅供经过身份验证的用户使用。我使用的示例应用程序附带的文章指出

You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the [Authorize] attribute, or by issuing a challenge

因为我想避免到处重复相同的挑战代码,所以我选择了属性方法,但它根本不起作用。它似乎所做的只是阻止对未经授权的用户的访问,而不像挑战那样重定向到登录页面。

因为我希望我正在构建的应用程序比 public 更私密,我还尝试创建一个全局策略并使用 AllowAnonymous 属性打开一些 select 功能。这有效,但未经授权的页面再次简单地显示为空白,而不是发出质询。

这是我目前使用的政策代码,取自here

var policy = new AuthorizationPolicyBuilder()
            //This is what makes it function like the basic [Authorize] attribute
            .RequireAuthenticatedUser()
            .Build();

            services.Configure<MvcOptions>(options =>
            {
                options.Filters.Add(new AuthorizeFilter(policy));
            });

我是否遗漏了授权属性或发出质询的策略的某些设置?

为了后代,很可能还有我未来的自己:

我在 OpenIdConnectOptions 中缺少 AutomaticAuthentication 属性。示例应用程序是这样设置的:

            // Configure the OWIN Pipeline to use Cookie Authentication
            app.UseCookieAuthentication(options => 
            {
                // By default, all middleware are passive/not automatic. Making cookie middleware automatic so that it acts on all the messages.
                options.AutomaticAuthentication = true;

            });

            // Configure the OWIN Pipeline to use OpenId Connect Authentication
            app.UseOpenIdConnectAuthentication(options =>
            {
                options.ClientId = Configuration.Get("AzureAd:ClientId");
                options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
                options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
                options.Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                };
            });

为了让一切正常工作,我不得不进行一些小的调整以使其看起来像这样:

            app.UseCookieAuthentication(options => { options.AutomaticAuthentication = true; });
            // Configure the OWIN Pipeline to use OpenId Connect Authentication
            app.UseOpenIdConnectAuthentication(options =>
            {
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.ClientId = Configuration.Get("AzureAd:ClientId");
                options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
                options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
                options.Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                };
                options.AutomaticAuthentication = true;
            });