OpenId Connect Owin Middleware与Orchard CMS 1.9.2

时间:2015-10-27 13:11:27

标签: openid orchardcms owin

我正在尝试接管Orchard管理员身份验证流程,并将其替换为使用Azure AD的OpenId Connect(用于SSO目的)。用户通过OpenId进行身份验证后,我想让用户签到Orchard使用Orchard的角色进行授权。

这是我到目前为止的代码

OwinMiddlewareProvider:

public class OpenIdConnectMiddleware : IOwinMiddlewareProvider
{
    public IEnumerable<OwinMiddlewareRegistration> GetOwinMiddlewares()
    {
        return new[]
        {
            new OwinMiddlewareRegistration
            {
                Priority = "1",

                Configure = app => {
                    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

                    app.UseCookieAuthentication(new CookieAuthenticationOptions());

                    app.UseOpenIdConnectAuthentication(
                        new OpenIdConnectAuthenticationOptions
                        {
                            ClientId = "<My Client Id>",
                            Authority = "<My Authority>",
                            RedirectUri = "https://localhost:44357/"
                        });
                }
            }
        };
    }
}

我接管默认访问被拒绝路线的路线:

new RouteDescriptor {
    Priority = 1,
    Route = new Route(
        "Users/Account/AccessDenied",
        new RouteValueDictionary {
                                {"area", "BCS.Authentication"},
                                {"controller", "Account"},
                                {"action", "LogOn"}
        },
        new RouteValueDictionary (),
        new RouteValueDictionary {
                                {"area", "BCS.Authentication"}
        },
        new MvcRouteHandler())
    }

最后,我的AccountController具有以下内容:

public ActionResult LogOn(string returnUrl)
{
    if (!Request.IsAuthenticated)
    {
        HttpContext.GetOwinContext().Authentication.Challenge(
            new AuthenticationProperties { RedirectUri = string.IsNullOrEmpty(returnUrl) ? "/" : returnUrl },
            OpenIdConnectAuthenticationDefaults.AuthenticationType);

        return new EmptyResult();
    }

    var currentUser = _authenticationService.GetAuthenticatedUser();

    if (currentUser == null)
    {
        // temporary, just for testing purposes
        var user = _membershipService.GetUser("douwinga");
        _authenticationService.SignIn(user, false);
    }

    return new RedirectResult(returnUrl);
}

使用此代码导航到https://localhost:44357/admin Request.IsAuthenticated为false,因此它将我带到ADFS登录页面。登录后,我回到了LogOn操作,Request.IsAuthenticated现在是真的。然后它尝试使用authenticationService来查看我是否通过Orchard进行了身份验证,并且显然返回null,因此它会将我签到Orchard。如果我检查authenticationService以查看我是否在登录后登录,它将返回我的用户,所以此时我已通过Orchard验证。

然后是问题。我被重定向到/ admin现在我已经过身份验证并且它执行了另一次身份验证检查,因此我被发送回我的控制器的LogOn操作。这次Request.IsAuthenticated仍然是正确的,但是currentUser仍为null,因此我不再使用Orchard进行身份验证,因此它会尝试再次登录Orchard。然后,这让我陷入了困境。

我有什么遗失的吗?有更好的方法吗?

1 个答案:

答案 0 :(得分:3)

Radio Systems一直致力于开发一个新模块。它也在微软内部使用,并将包含在Orchard ASAP

https://github.com/RadioSystems/RadioSystems.AzureAuthentication