我们正在尝试将奇妙的IdentityServer用于我们的产品。您的应用程序应该能够与不同的租户合作,每个租户可能都有自己的身份提供者。
IdentityServer部分“可以”(它可以工作,但我不确定这是否超级聪明)可以像这样解决:
app.Map("/demotenant", (test) =>
{
test.UseIdentityServer(new IdentityServerOptions
{
SiteName = "Embedded IdentityServer",
SigningCertificate = Certificate.Load(),
Factory = factory,
RequireSsl = false,
AuthenticationOptions = new AuthenticationOptions
{
EnableLocalLogin = false,
IdentityProviders = ConfigureIdentityProviders,
},
});
});
app.Map("/demotenant2", (test) =>
{
test.UseIdentityServer(new IdentityServerOptions
{
SiteName = "Embedded IdentityServer",
SigningCertificate = Certificate.Load(),
Factory = factory,
RequireSsl = false,
AuthenticationOptions = new AuthenticationOptions
{
EnableLocalLogin = false,
IdentityProviders = ConfigureIdentityProviders,
},
});
});
现在我尝试从我的webapplication中使用它。当我正在使用/ demotenant时,它应该使用/ demotenant-identity-server等。
app.Map("/demotenant", (test) =>
{
test.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = "cookies",
});
test.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
AuthenticationType = "oidc",
SignInAsAuthenticationType = "cookies",
Authority = "http://localhost:63958/demotenant",
ClientId = "webapp",
RedirectUri = "http://localhost:57354/",
ResponseType = "id_token",
Scope = "openid",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = async f =>
{
f.ProtocolMessage.AcrValues = "datasourceId:test";
},
},
});
});
app.Map("/demotenant2", (test) =>
{
test.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = "cookies",
});
test.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
AuthenticationType = "oidc",
SignInAsAuthenticationType = "cookies",
Authority = "http://localhost:63958/demotenant2",
ClientId = "webapp",
RedirectUri = "http://localhost:57354/",
ResponseType = "id_token",
Scope = "openid",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = async f =>
{
f.ProtocolMessage.AcrValues = "datasourceId:test";
}
},
});
});
不幸的是它不起作用或者至少我不能触发认证流程。
我的“简单”示例只使用[Authorize]属性,该属性将我神奇地重定向到我的IdentityServer。
所以问题是:
- 是否可以根据路由触发其中一个authroization,如果是:如何?
答案 0 :(得分:0)
请注意,您不必使用app.Map根据租户路由到身份提供商[IDP]。在IdentityServer中,您必须根据租户确定准确的IDP。然后你可以在特定的IDP上调用挑战。
步骤
基于来自OWIN中间件的租户解析端点uris的代码示例
OnDemandEndpoints = async (clientid, EndpointUriTypes) =>
{
var endpointResolver = ServiceLocator.Resolve<IClientEndpointResolver>();
return await endpointResolver.ResolveEndpointUri(EndpointUriTypes, clientid);
},
需要有一些上下文可以跨中间件传递您的租户上下文,以便从端点解析到clientId和ClientSecrets可以动态解析。
希望这对你有所帮助