在我的.net核心1.1代码中,我按照以下方式进行身份验证(将承载令牌发送到外部URL并在返回令牌中查找声明)。此代码位于Configure方法
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = signinAuthority,
RequireHttpsMetadata = signinHTTPS,
ClientId = "skybus",
ClientSecret = "secret",
ResponseType = "code id_token",
Scope = { "api1", "offline_access" },
GetClaimsFromUserInfoEndpoint = true,
SaveTokens = true
});
现在我将代码升级到.net Core 2.0 UseCookieAuthentication& UseOpenIdConnectAuthentication已更改。我发现在这种情况下很难找到需要做的事情
我在ConfigureServices方法
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o =>
{
o.Authority = signinAuthority;
o.SignInScheme = "Cookies";
o.RequireHttpsMetadata = signinHTTPS;
o.ClientId = "skybus";
o.ClientSecret = "secret";
o.ResponseType = "code id_token";
o.GetClaimsFromUserInfoEndpoint = true;
o.SaveTokens = true;
o.Scope.Add("api1");
o.Scope.Add("offline_access");
});
在浏览器中,我在上述更改后看到此URL。如果用户没有登录或返回我网站的主页,它应该显示外部登录页面
答案 0 :(得分:1)
我跟着this link from microsoft开始迁移。此链接涵盖了大部分迁移,但我遇到了大部分索赔缺失的问题。
使用ASP.NET Core 1.x,客户端会收到声明:nbf,exp,iss,aud,nonce,iat,c_hash,sid,sub,auth_time,idp,amr。
在Core 2.0中,我们只获得sid,sub和idp。发生了什么事?
Microsoft在其OpenID Connect处理程序中添加了一个名为ClaimActions的新概念。声明操作允许修改外部提供程序的声明如何映射(或不映射)到ClaimsPrincipal中的声明。查看OpenIdConnectOptions的ctor,您可以看到处理程序现在默认会跳过以下声明:
ClaimActions.DeleteClaim("nonce");
ClaimActions.DeleteClaim("aud");
ClaimActions.DeleteClaim("azp");
ClaimActions.DeleteClaim("acr");
ClaimActions.DeleteClaim("amr");
ClaimActions.DeleteClaim("iss");
ClaimActions.DeleteClaim("iat");
ClaimActions.DeleteClaim("nbf");
ClaimActions.DeleteClaim("exp");
ClaimActions.DeleteClaim("at_hash");
ClaimActions.DeleteClaim("c_hash");
ClaimActions.DeleteClaim("auth_time");
ClaimActions.DeleteClaim("ipaddr");
ClaimActions.DeleteClaim("platf");
ClaimActions.DeleteClaim("ver");
如果您要“取消跳过”声明,则需要在设置处理程序时删除特定的声明操作。以下是获取amr声明的非常直观的语法:
options.ClaimActions.Remove("amr");
请求OIDC提供商提出更多声明
当您要求更多范围时,例如导致更多声明的个人资料或自定义范围,还有另一个令人困惑的细节需要注意。
根据OIDC协议中的response_type,一些声明通过id_token传输,一些声明通过userinfo端点传输。
首先,您需要在处理程序中启用对userinfo端点的支持:
options.GetClaimsFromUserInfoEndpoint = true;
最后,您需要添加以下类来导入所有其他自定义声明
public class MapAllClaimsAction : ClaimAction
{
public MapAllClaimsAction() : base(string.Empty, string.Empty)
{
}
public override void Run(JObject userData, ClaimsIdentity identity, string issuer)
{
foreach (var claim in identity.Claims)
{
// If this claimType is mapped by the JwtSeurityTokenHandler, then this property will be set
var shortClaimTypeName = claim.Properties.ContainsKey(JwtSecurityTokenHandler.ShortClaimTypeProperty) ?
claim.Properties[JwtSecurityTokenHandler.ShortClaimTypeProperty] : string.Empty;
// checking if claim in the identity (generated from id_token) has the same type as a claim retrieved from userinfo endpoint
JToken value;
var isClaimIncluded = userData.TryGetValue(claim.Type, out value) || userData.TryGetValue(shortClaimTypeName, out value);
// if a same claim exists (matching both type and value) both in id_token identity and userinfo response, remove the json entry from the userinfo response
if (isClaimIncluded && claim.Value.Equals(value.ToString(), StringComparison.Ordinal))
{
if (!userData.Remove(claim.Type))
{
userData.Remove(shortClaimTypeName);
}
}
}
// adding remaining unique claims from userinfo endpoint to the identity
foreach (var pair in userData)
{
JToken value;
var claimValue = userData.TryGetValue(pair.Key, out value) ? value.ToString() : null;
identity.AddClaim(new Claim(pair.Key, claimValue, ClaimValueTypes.String, issuer));
}
}
}
然后使用上面的类代码将其添加到ClaimActions
options.ClaimActions.Add(new MapAllClaimsAction());
答案 1 :(得分:0)
答案 2 :(得分:0)
您是否使用了身份验证中间件?
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAuthentication();
...