IdentityServer UserService.IsActive模拟重定向循环
我在自定义用户服务中实现了IsActive,我在该方法中执行的步骤之一是:检查用户是否具有所请求客户端的任何角色。如果用户没有角色IsActive将返回false。这适用于常规方案。但是,一旦我实施了模拟工作流程,我就开始在login页面和authorize端点之间获得无限重定向。
我可以在我的模拟逻辑中实现相同的IsActive检查,但是还有其他我缺少的东西吗?在我看来,我需要向IndentityServer添加一些东西,以便它显示错误/ not_authorized页面,但我无法弄清楚在哪里。
实施细则:
根据自定义的acr_values从AuthenticateResult重新调整完整PreAuthenticateAsync,可以实现模拟。
var impersonate = context.SignInMessage.AcrValues.FirstOrDefault(x => x.StartsWith("impersonate"));
if (!string.IsNullOrWhiteSpace(impersonate))
{
var adminUserName = _owinContext.Authentication.User.FindFirst(Constants.ClaimTypes.Subject).Value;
var adminUser = _service.GetUser(adminUserName);
bool isAllowedImpersonation = true; //TODO:
var impersonateSplit = impersonate.Split(':');
if (impersonateSplit.Length != 2 || !isAloowedImpersonation)
{
context.AuthenticateResult = new AuthenticateResult("Invalid attempt to impersonate user");
}
var impesonateUserName = impersonateSplit[1];
var impersonateUser = _service.GetUser(impesonateUserName);
context.AuthenticateResult =
new AuthenticateResult(
impersonateUser.Username,
impersonateUser.Name,
claims: new[] { new Claim(Constants.ClaimTypes.ClientId, context.SignInMessage.ClientId) },
identityProvider: Constants.BuiltInIdentityProvider,
authenticationMethod: Constants.AuthenticationMethods.Password);
}
IsActive内的逻辑:
var user = _service.GetUser(context.Subject.GetSubjectId());
if (user == null || !user.IsActive)
return Task.FromResult(false);
var application = _service.GetApplicationByCode(context.Subject.GetClientId());
context.IsActive = _service.UserHasAccessTo(user, application.Code);
修改
日志文件摘要
2016-05-11 18:22:09.0726 user service returned a login result
2016-05-11 18:22:09.0726 Calling PostAuthenticateAsync on the user service
2016-05-11 18:22:09.0726 issuing primary signin cookie
2016-05-11 18:22:09.0726 redirecting to: http://localhost/xpo.security.tokenserver.site/connect/authorize?client_id=security_optimizer&redirect_uri=http:%2F%2Flocalhost%2Fxpo.security.optimizer%2F&response_mode=form_post&response_type=id_token&scope=openid email name roles&state=jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk&nonce=635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm&acr_values=client:security_optimizer impersonate:ctest
2016-05-11 18:22:09.0726 Start authorize request
2016-05-11 18:22:09.0726 Start authorize request protocol validation
2016-05-11 18:22:09.0726 Authorize request validation success
{
"ClientId": "security_optimizer",
"ClientName": "Security Optimizer",
"RedirectUri": "http://localhost/xpo.security.optimizer/",
"AllowedRedirectUris": [
"http://localhost/xpo.security.optimizer/"
],
"SubjectId": "ctest",
"ResponseType": "id_token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "openid email name roles",
"State": "jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk",
"Nonce": "635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm",
"AuthenticationContextReferenceClasses": [
"client:security_optimizer",
"impersonate:ctest"
],
"SessionId": "6f50b19f825f63426a7876c8c2d058df",
"Raw": {
"client_id": "security_optimizer",
"redirect_uri": "http://localhost/xpo.security.optimizer/",
"response_mode": "form_post",
"response_type": "id_token",
"scope": "openid email name roles",
"state": "jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk",
"nonce": "635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm",
"acr_values": "client:security_optimizer impersonate:ctest"
}
}
2016-05-11 18:22:09.3603 User is not active. Redirecting to login.
2016-05-11 18:22:09.3603 End authorize request
2016-05-11 18:22:09.3603 Redirecting to login page
2016-05-11 18:22:09.3703 Login page requested
2016-05-11 18:22:09.7432 user service returned a login result
2016-05-11 18:22:09.7432 Calling PostAuthenticateAsync on the user service
2016-05-11 18:22:09.7432 issuing primary signin cookie
2016-05-11 18:22:09.7432 redirecting to: http://localhost/xpo.security.tokenserver.site/connect/authorize?client_id=security_optimizer&redirect_uri=http:%2F%2Flocalhost%2Fxpo.security.optimizer%2F&response_mode=form_post&response_type=id_token&scope=openid email name roles&state=jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk&nonce=635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm&acr_values=client:security_optimizer impersonate:ctest
2016-05-11 18:22:09.7527 Start authorize request
2016-05-11 18:22:09.7527 Start authorize request protocol validation
2016-05-11 18:22:09.7527 Authorize request validation success
{
"ClientId": "security_optimizer",
"ClientName": "Security Optimizer",
"RedirectUri": "http://localhost/xpo.security.optimizer/",
"AllowedRedirectUris": [
"http://localhost/xpo.security.optimizer/"
],
"SubjectId": "ctest",
"ResponseType": "id_token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "openid email name roles",
"State": "jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk",
"Nonce": "635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm",
"AuthenticationContextReferenceClasses": [
"client:security_optimizer",
"impersonate:ctest"
],
"SessionId": "fec184ed6b9d5eae0c84d36d22c59c1a",
"Raw": {
"client_id": "security_optimizer",
"redirect_uri": "http://localhost/xpo.security.optimizer/",
"response_mode": "form_post",
"response_type": "id_token",
"scope": "openid email name roles",
"state": "jXGforulK3bJWQs1aK5ML21s67HOcmaCX4lSpS19RWNQtaOHI98cY_lgk2KhKwGT67wyG_EdQU_HIgQe-bAGSEoFhwp5AqtQxswt3fgFMpTzsxOp12p5YbykbNhWqjacUEmZXOepBvC7hEkOiho1VcCoinZlJklCcLMGV5EOuLk",
"nonce": "635986021053957554.MGJhYjQ4MDQtNDg4My00OTZhLWJjNzItMjJlZDNlZjNhZDg1ZmE5NjM2ZGMtOTBiNy00OTlhLTk0NTItN2E0OTQ5NzM0MjZm",
"acr_values": "client:security_optimizer impersonate:ctest"
}
}
2016-05-11 18:22:10.4456 User is not active. Redirecting to login.
2016-05-11 18:22:10.4456 End authorize request
2016-05-11 18:22:10.4475 Redirecting to login page
2016-05-11 18:22:10.4475 Login page requested
0 个答案:
没有答案
相关问题
- 在Symfony 2中用户切换(模拟)后重定向
- IdentityServer进入无限的身份验证循环
- IdentityServer UserService.IsActive模拟重定向循环
- OWIN / IdentityServer登录陷入无限循环
- IdentityServer用作另一个IdentityServer的外部身份提供程序无法正确重定向
- IdentityServer 4在身份验证后更改重定向路径
- IdentityServer客户端重定向URL是否允许使用通配符
- IdentityServer客户端示例在重定向后记住QueryString参数
- IdentityServer:客户端级别的模拟
- 成功登录重定向后,Identityserver不返回用户
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?