如何让[Authorize]触发openId中间件
How to make [Authorize] trigger openId middleware
我正在试用 ASP.NET 5 的一些功能,但我在身份验证方面遇到了一些困难。我已经设法使用大部分 this 示例应用程序连接到我的 Azure AD 以登录,但我无法弄清楚如何将我的 Web 应用程序的某些部分限制为仅供经过身份验证的用户使用。我使用的示例应用程序附带的文章指出
You can trigger the middleware to send an OpenID Connect sign-in
request by decorating a class or method with the [Authorize]
attribute, or by issuing a challenge
因为我想避免到处重复相同的挑战代码,所以我选择了属性方法,但它根本不起作用。它似乎所做的只是阻止对未经授权的用户的访问,而不像挑战那样重定向到登录页面。
因为我希望我正在构建的应用程序比 public 更私密,我还尝试创建一个全局策略并使用 AllowAnonymous 属性打开一些 select 功能。这有效,但未经授权的页面再次简单地显示为空白,而不是发出质询。
这是我目前使用的政策代码,取自here:
var policy = new AuthorizationPolicyBuilder()
//This is what makes it function like the basic [Authorize] attribute
.RequireAuthenticatedUser()
.Build();
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new AuthorizeFilter(policy));
});
我是否遗漏了授权属性或发出质询的策略的某些设置?
为了后代,很可能还有我未来的自己:
我在 OpenIdConnectOptions 中缺少 AutomaticAuthentication 属性。示例应用程序是这样设置的:
// Configure the OWIN Pipeline to use Cookie Authentication
app.UseCookieAuthentication(options =>
{
// By default, all middleware are passive/not automatic. Making cookie middleware automatic so that it acts on all the messages.
options.AutomaticAuthentication = true;
});
// Configure the OWIN Pipeline to use OpenId Connect Authentication
app.UseOpenIdConnectAuthentication(options =>
{
options.ClientId = Configuration.Get("AzureAd:ClientId");
options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
options.Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
};
});
为了让一切正常工作,我不得不进行一些小的调整以使其看起来像这样:
app.UseCookieAuthentication(options => { options.AutomaticAuthentication = true; });
// Configure the OWIN Pipeline to use OpenId Connect Authentication
app.UseOpenIdConnectAuthentication(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ClientId = Configuration.Get("AzureAd:ClientId");
options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
options.Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
};
options.AutomaticAuthentication = true;
});
我正在试用 ASP.NET 5 的一些功能,但我在身份验证方面遇到了一些困难。我已经设法使用大部分 this 示例应用程序连接到我的 Azure AD 以登录,但我无法弄清楚如何将我的 Web 应用程序的某些部分限制为仅供经过身份验证的用户使用。我使用的示例应用程序附带的文章指出
You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the [Authorize] attribute, or by issuing a challenge
因为我想避免到处重复相同的挑战代码,所以我选择了属性方法,但它根本不起作用。它似乎所做的只是阻止对未经授权的用户的访问,而不像挑战那样重定向到登录页面。
因为我希望我正在构建的应用程序比 public 更私密,我还尝试创建一个全局策略并使用 AllowAnonymous 属性打开一些 select 功能。这有效,但未经授权的页面再次简单地显示为空白,而不是发出质询。
这是我目前使用的政策代码,取自here:
var policy = new AuthorizationPolicyBuilder()
//This is what makes it function like the basic [Authorize] attribute
.RequireAuthenticatedUser()
.Build();
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new AuthorizeFilter(policy));
});
我是否遗漏了授权属性或发出质询的策略的某些设置?
为了后代,很可能还有我未来的自己:
我在 OpenIdConnectOptions 中缺少 AutomaticAuthentication 属性。示例应用程序是这样设置的:
// Configure the OWIN Pipeline to use Cookie Authentication
app.UseCookieAuthentication(options =>
{
// By default, all middleware are passive/not automatic. Making cookie middleware automatic so that it acts on all the messages.
options.AutomaticAuthentication = true;
});
// Configure the OWIN Pipeline to use OpenId Connect Authentication
app.UseOpenIdConnectAuthentication(options =>
{
options.ClientId = Configuration.Get("AzureAd:ClientId");
options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
options.Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
};
});
为了让一切正常工作,我不得不进行一些小的调整以使其看起来像这样:
app.UseCookieAuthentication(options => { options.AutomaticAuthentication = true; });
// Configure the OWIN Pipeline to use OpenId Connect Authentication
app.UseOpenIdConnectAuthentication(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ClientId = Configuration.Get("AzureAd:ClientId");
options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));
options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");
options.Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
};
options.AutomaticAuthentication = true;
});