是否可以(如果是,如何?)配置自托管owin端点以使用A / D的客户端证书映射身份验证? IIS具有此功能link,但到目前为止,我还没有找到自托管端点的等效功能。
我使用它的方式(考虑到这种方法可能不是100%万无一失),使用authenticationSchemeSelectorDelegate和OWIN的组合是一个两步过程。
这将选择适当的AuthenticationScheme(允许包含证书的请求,否则推迟到NTLM身份验证)
public void Configuration(IAppBuilder appBuilder)
{
var listener = (HttpListener)appBuilder.Properties[typeof(HttpListener).FullName];
listener.AuthenticationSchemeSelectorDelegate += AuthenticationSchemeSelectorDelegate;
}
private AuthenticationSchemes AuthenticationSchemeSelectorDelegate(HttpListenerRequest httpRequest)
{
if (!httpRequest.IsSecureConnection) return AuthenticationSchemes.Ntlm;
var clientCert = httpRequest.GetClientCertificate();
if (clientCert == null) return AuthenticationSchemes.Ntlm;
else return AuthenticationSchemes.Anonymous;
}
这将读取证书的内容并相应地填充“server.User”环境变量
public class CertificateAuthenticator
{
readonly Func<IDictionary<string, object>, Task> _appFunc;
public CertificateAuthenticator(Func<IDictionary<string, object>, Task> appFunc)
{
_appFunc = appFunc;
}
public Task Invoke(IDictionary<string, object> environment)
{
// Are we authenticated already (NTLM)
var user = environment["server.User"] as IPrincipal;
if (user != null && user.Identity.IsAuthenticated) return _appFunc.Invoke(environment);
var context = environment["System.Net.HttpListenerContext"] as HttpListenerContext;
if (context == null) return _appFunc.Invoke(environment);
var clientCertificate = context.Request.GetClientCertificate();
// Parse out username from certificate
var identity = new GenericPrincipal
(
new GenericIdentity(username), new string[0]
);
environment["server.User"] = identity;
}
}
没有更好/标准化的方式吗?
答案 0 :(得分:3)
我还没有看到为此构建的任何标准组件。也就是说,应该可以稍微清理一下代码: