我正在使用Azure AD对用户进行身份验证。我想添加一些特定于我的应用程序的用户声明。我应该在global.asax中的Application_PostAuthenticateRequest`中执行此操作吗?有没有办法可以缓存我的说法?
答案 0 :(得分:4)
如果您使用的是ASP.NET OWIN中间件,则可以使用特定的通知来实现此目的。以这种方式添加的声明将最终出现在您的会话cookie中,这样您就不必在后续调用中重复声明扩充逻辑。有关详细信息,请参阅http://www.cloudidentity.com/blog/2015/08/26/augmenting-the-set-of-incoming-claims-with-the-openid-connect-and-oauth2-middleware-in-katana-3-x/。
答案 1 :(得分:0)
顺便说一句,您可以添加自定义cliams,但不能覆盖Azure AD添加的现有声明(到目前为止我看到的可能是我错了)。你可以做的是添加像这个AuthorizationCodeReceived = context =>
{
List<System.Security.Claims.Claim> allcustomClaims = new List<System.Security.Claims.Claim>();
allcustomClaims.Add(new System.Security.Claims.Claim("customClaim", "YourDefindedValue"));
context.AuthenticationTicket.Identity.AddClaims(allcustomClaims);
return Task.FromResult(0);
}这样的新cliams,然后你可以在控制器的任何地方获得声明,比如`{{
var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;
if (claimsIdentity != null)
{
var c = claimsIdentity.FindFirst("customClaim").Value;
}
}`谢谢
答案 2 :(得分:0)
您可以通过编程方式扩充声明:
loss val_loss
0 0.234606 0.171870
1 0.219808 0.172064
2 0.208841 0.173415
3 0.202653 0.175946
4 0.199899 0.178934
5 0.195881 0.180141
6 0.192053 0.179317
7 0.189094 0.178707
8 0.185856 0.176857
9 0.182251 0.173282
此解决方案依赖于AuthenticationManager的 public async Task<ActionResult> AuthenticateAsync()
{
ClaimsPrincipal incomingPrincipal = System.Threading.Thread.CurrentPrincipal as ClaimsPrincipal;
if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
{
ClaimsIdentity claimsIdentity = incomingPrincipal.Identity as ClaimsIdentity;
if (!claimsIdentity.HasClaim(ClaimTypes.Role, "Admin"))
{
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "Admin", ClaimValueTypes.String, "AADGuide"));
var ctx = Request.GetOwinContext();
var authenticationManager = ctx.Authentication;
AuthenticateResult authResult = await authenticationManager.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationType);
authenticationManager.SignIn(authResult.Properties,claimsIdentity);
}
}
return RedirectToAction("Index", "Start");
}
方法来检索原始AuthenticationAsync。检索属性后,调用AuthenticationProperties方法将新的ClaimsIdentity保留在auth cookie中。
答案 3 :(得分:0)
如果您正在使用:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
...
这就是我使用new OAuthBearerAuthenticationProvider添加其他自定义声明的方式:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
// The id of the client application that must be registered in Azure AD.
TokenValidationParameters = new TokenValidationParameters { ValidAudience = clientId },
// Our Azure AD tenant (e.g.: contoso.onmicrosoft.com).
Tenant = tenant,
Provider = new OAuthBearerAuthenticationProvider
{
// In this handler we can perform additional coding tasks...
OnValidateIdentity = async context =>
{
try
{
// Retrieve user JWT token from request.
var authorizationHeader = context.Request.Headers["Authorization"].First();
var userJwtToken = authorizationHeader.Substring("Bearer ".Length).Trim();
// Get current user identity from authentication ticket.
var authenticationTicket = context.Ticket;
var identity = authenticationTicket.Identity;
// Credential representing the current user. We need this to request a token
// that allows our application access to the Azure Graph API.
var userUpnClaim = identity.FindFirst(ClaimTypes.Upn);
var userName = userUpnClaim == null
? identity.FindFirst(ClaimTypes.Email).Value
: userUpnClaim.Value;
var userAssertion = new UserAssertion(
userJwtToken, "urn:ietf:params:oauth:grant-type:jwt-bearer", userName);
identity.AddClaim(new Claim(identity.RoleClaimType, "myRole"));
}
catch (Exception e)
{
throw;
}
}
}
});
有关完整示例,请检查此blog post。