我正在尝试接管Orchard管理员身份验证流程,并将其替换为使用Azure AD的OpenId Connect(用于SSO目的)。用户通过OpenId进行身份验证后,我想让用户签到Orchard使用Orchard的角色进行授权。
这是我到目前为止的代码
OwinMiddlewareProvider:
public class OpenIdConnectMiddleware : IOwinMiddlewareProvider
{
public IEnumerable<OwinMiddlewareRegistration> GetOwinMiddlewares()
{
return new[]
{
new OwinMiddlewareRegistration
{
Priority = "1",
Configure = app => {
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "<My Client Id>",
Authority = "<My Authority>",
RedirectUri = "https://localhost:44357/"
});
}
}
};
}
}
我接管默认访问被拒绝路线的路线:
new RouteDescriptor {
Priority = 1,
Route = new Route(
"Users/Account/AccessDenied",
new RouteValueDictionary {
{"area", "BCS.Authentication"},
{"controller", "Account"},
{"action", "LogOn"}
},
new RouteValueDictionary (),
new RouteValueDictionary {
{"area", "BCS.Authentication"}
},
new MvcRouteHandler())
}
最后,我的AccountController具有以下内容:
public ActionResult LogOn(string returnUrl)
{
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = string.IsNullOrEmpty(returnUrl) ? "/" : returnUrl },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
return new EmptyResult();
}
var currentUser = _authenticationService.GetAuthenticatedUser();
if (currentUser == null)
{
// temporary, just for testing purposes
var user = _membershipService.GetUser("douwinga");
_authenticationService.SignIn(user, false);
}
return new RedirectResult(returnUrl);
}
使用此代码导航到https://localhost:44357/admin Request.IsAuthenticated为false,因此它将我带到ADFS登录页面。登录后,我回到了LogOn操作,Request.IsAuthenticated现在是真的。然后它尝试使用authenticationService来查看我是否通过Orchard进行了身份验证,并且显然返回null,因此它会将我签到Orchard。如果我检查authenticationService以查看我是否在登录后登录,它将返回我的用户,所以此时我已通过Orchard验证。
然后是问题。我被重定向到/ admin现在我已经过身份验证并且它执行了另一次身份验证检查,因此我被发送回我的控制器的LogOn操作。这次Request.IsAuthenticated仍然是正确的,但是currentUser仍为null,因此我不再使用Orchard进行身份验证,因此它会尝试再次登录Orchard。然后,这让我陷入了困境。
我有什么遗失的吗?有更好的方法吗?
答案 0 :(得分:3)
Radio Systems一直致力于开发一个新模块。它也在微软内部使用,并将包含在Orchard ASAP
中https://github.com/RadioSystems/RadioSystems.AzureAuthentication