问题 后端网络应用是否可以接受并通过登录前台生成的AAD身份验证Cookie中获取用户身份-END-web的应用程序?
背景 我想为JavaScript SignalR客户端实现Azure Active Directory单点登录体验,但我当前的解决方案要求用户登录两次。一旦访问托管js-client的Web应用程序,然后再次访问,以便js-client-app可以访问后端。
使用SSO AAD身份验证所需解决方案
尝试后端Startup.cs
public void ConfigureAuth( IAppBuilder app )
app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "roles"
}
});
}
当前解决方案,包含不良双重符号
当前的前端Startup.cs
public void ConfigureAuth( IAppBuilder app )
GlobalFilters.Filters.Add( new AuthorizeAttribute() );
app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = "roles"
}
});
}
当前后端Startup.cs
public void Configuration( IAppBuilder app ){
app.Use( ( context, next ) =>
{
if (context.Request.Cookies.Any(c => c.Key.Equals("BearerToken")))
{
var cookie = context.Request.Cookies.First(c => c.Key.Equals("BearerToken"));
context.Request.Headers.Add("Authorization", new[] { $"Bearer {cookie.Value}" });
}
return next.Invoke();
});
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Tenant = tenant,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = audience,
RoleClaimType = "roles"
}
};
);
}
答案 0 :(得分:0)
是的,有可能。您需要为Cookie加密和解密指定共享密钥。 https://docs.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-3.1
添加了AzureAd后,您只需从两个应用程序中的同一键中注入具有共享cookie名称和dataProtectionProvider的共享cookie设置。