Question

我的公司ADFS支持的令牌服务保护了一个网站和API。我需要使用C＃控制台应用程序来访问API上的端点。我发现缺乏使用C＃代码访问STS安全网站的资源。它使用ADFS 3.0。

当我使用HttpClient（或类似的）命中端点时，我会收到一个HTML表单。

我的代码：

Uri baseAddress = new Uri("http://localhost:64022");

using (HttpClient client = new HttpClient() { BaseAddress = baseAddress })
{
    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "#");
    HttpResponseMessage response = client.SendAsync(request).Result;

    var encoding = ASCIIEncoding.ASCII;
    using (var reader = new System.IO.StreamReader(response.Content.ReadAsStreamAsync().Result, encoding))
    {
        string responseText = reader.ReadToEnd();
    }
}

我的应用程序的web.config文件中的设置是：

<system.identityModel.services>
    <federationConfiguration>
        <cookieHandler requireSsl="false" persistentSessionLifetime="1.0:0:0" />
        <wsFederation persistentCookiesOnPassiveRedirects="true" passiveRedirectEnabled="true" issuer="https://sts.company.com/adfs/ls/" realm="http://myapp.company.com/" requireHttps="false" />
    </federationConfiguration>
</system.identityModel.services>
<system.identityModel>
    <identityConfiguration>
        <audienceUris>
            <add value="http://myapp.company.com/" />
        </audienceUris>
        <issuerNameRegistry>
            <trustedIssuers>
                <add thumbprint="0000000000000000000000000000000000000000" name="https://sts.company.com/adfs/services/trust" />
            </trustedIssuers>
        </issuerNameRegistry>
    </identityConfiguration>
</system.identityModel>

我不确定各种条款会是什么。我的远程地址是什么？我的客户ID？指纹是什么？

Answer 1

我想出了如何实现这一目标。我不能肯定地说这是否是最好的实现，但它对我有用。

类ADFS令牌提供程序

public class ADFSUsernameMixedTokenProvider
{
    private readonly Uri adfsUserNameMixedEndpoint;

    /// <summary>
    /// Initializes a new instance of the <see cref="ADFSUsernameMixedTokenProvider"/> class
    /// </summary>
    /// <param name="adfsUserNameMixedEndpoint">i.e. https://adfs.mycompany.com/adfs/services/trust/13/usernamemixed </param>
    public ADFSUsernameMixedTokenProvider(Uri adfsUserNameMixedEndpoint)
    {
        this.adfsUserNameMixedEndpoint = adfsUserNameMixedEndpoint;
    }

    /// <summary>
    /// Requests a security token from the ADFS server
    /// </summary>
    /// <param name="username">The username</param>
    /// <param name="password">The password</param>
    /// <param name="endpoint">The ADFS endpoint</param>
    /// <returns></returns>
    public GenericXmlSecurityToken RequestToken(string username, SecureString password, string endpoint)
    {
        WSTrustChannelFactory factory = new WSTrustChannelFactory(
                new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                 new EndpointAddress(adfsUserNameMixedEndpoint));

        factory.TrustVersion = TrustVersion.WSTrust13;

        factory.Credentials.UserName.UserName = username;
        factory.Credentials.UserName.Password = new System.Net.NetworkCredential(string.Empty, password).Password;

        RequestSecurityToken token = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            AppliesTo = new EndpointReference(endpoint),
            KeyType = KeyTypes.Bearer
        };

        IWSTrustChannelContract channel = factory.CreateChannel();

        return channel.Issue(token) as GenericXmlSecurityToken;
    }
}

班级认证

public class Authentication
{
    private GenericXmlSecurityToken token;
    private string site = "https://my.site.com"
    private string appliesTo = "http://my.site.com"
    private string authUsernameEndpoint = "https://sts-prod.site.com/adfs/services/trust/13/usernamemixed";

    public Authentication(PSCredential credential)
    {
        ADFSUsernameMixedTokenProvider tokenProvider = new ADFSUsernameMixedTokenProvider(new Uri(authUsernameEndpoint));
        token = tokenProvider.RequestToken(credential.UserName, credential.Password, appliesTo);
    }

    public CookieContainer GetFedAuthCookies()
    {
        string prepareToken = WrapInSoapMessage(token, appliesTo);
        string samlServer = site.EndsWith("/") ? site : site + "/";
        string stringData = $"wa=wsignin1.0&wresult={HttpUtility.UrlEncode(prepareToken)}&wctx={HttpUtility.UrlEncode("rm=1&id=passive&ru=%2f")}";

        CookieContainer cookies = new CookieContainer();
        HttpWebRequest request = WebRequest.Create(samlServer) as HttpWebRequest;
        request.Method = "POST";
        request.ContentType = "application/x-www-form-urlencoded";
        request.CookieContainer = cookies;
        request.AllowAutoRedirect = false;
        byte[] data = Encoding.UTF8.GetBytes(stringData);
        request.ContentLength = data.Length;

        using (Stream stream = request.GetRequestStream())
        {
            stream.Write(data, 0, data.Length);
        }

        using (HttpWebResponse response = request.GetResponse() as HttpWebResponse)
        {
            using (Stream stream = response.GetResponseStream())
            {
                using (StreamReader reader = new StreamReader(stream))
                {
                    string responseFromServer = reader.ReadToEnd();
                }
            }
        }

        return cookies;
    }

    private string WrapInSoapMessage(GenericXmlSecurityToken token, string site)
    {
        string validFrom = token.ValidFrom.ToString("o");
        string validTo = token.ValidTo.ToString("o");
        string securityToken = token.TokenXml.OuterXml;
        string soapTemplate = @"<t:RequestSecurityTokenResponse xmlns:t=""http://schemas.xmlsoap.org/ws/2005/02/trust""><t:Lifetime><wsu:Created xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"">{0}</wsu:Created><wsu:Expires xmlns:wsu=""http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"">{1}</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp=""http://schemas.xmlsoap.org/ws/2004/09/policy""><wsa:EndpointReference xmlns:wsa=""http://www.w3.org/2005/08/addressing""><wsa:Address>{2}</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken>{3}</t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>";

        return string.Format(soapTemplate, validFrom, validTo, site, securityToken);
    }
}

用法

Authentication auth = new Authentication(credential);
CookieContainer container = auth.GetFedAuthCookies();
HttpWebRequest request = WebRequest.Create("https://api.my.site.com/") as HttpWebRequest;

request.Method = method;
request.ContentType = "application/json";
request.CookieContainer = cookieContainer;
request.AllowAutoRedirect = false;

using (WebResponse response = request.GetResponse())
{
    using (Stream dataStream = response.GetResponseStream())
    {
        using (StreamReader reader = new StreamReader(dataStream))
        {
            return JsonConvert.DeserializeObject<dynamic>(reader.ReadToEnd());
        }
    }
}

我在PowerShell cmdlet中使用它，这是PSCredential对象的来源。我希望这有助于某人想要从C＃控制台应用程序使用ADFS 3.0进行身份验证 - 这比我想承认的时间更长。

Answer 2

您正在处理哪个版本的ADFS？基于版本，这些是Web API支持的最佳选择

ADFS 2.0：在这种情况下，Web API的最佳模式是使用WS-Trust和WS- *与SOAP上的API交互。
ADFS 2012R2（或3.0）：您可以使用OAuth，这可能是您最好的选择。我们对使用授权许可配置文件构建移动应用程序的支持有限。有关示例的其他信息，请参阅https://msdn.microsoft.com/en-us/library/dn633593.aspx。
ADFS 2016（或4.0）：您拥有完整的OAuth / OpenID Connect，支持Web API，Web应用，多层，单页应用开发模式。有关模式，请参阅https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/ad-fs-development。

希望这会有所帮助。

谢谢//山姆

（Twitter：@MADADFS）

带控制台应用程序的ADFS STS身份验证

2 个答案: