如何添加新声明,以便它们在Cookie过期之前一直存在请求?
我正在使用OWIN中间件,本地身份验证来验证登录系统的用户。
登录部分成功,我将角色添加到ws-federation提供的用户声明中,以帮助授权用户使用某些操作方法。 在登录时,在控制器中,我编写了以下内容来添加角色:
string[] roles = { "Role1", "Role2" };
var identity = new ClaimsIdentity(User.Identity);
foreach (var role in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
var authenticationManager = HttpContext.GetOwinContext().Authentication;
authenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant
(new ClaimsPrincipal(identity),
new AuthenticationProperties { IsPersistent = true });
但是当我在下一次请求时检查索赔时,我看不到角色声明。
答案 0 :(得分:1)
成功验证后,我相信您添加了自定义声明(通常在成功验证后对某些事件处理程序)。现在,为了在后续请求中保留该信息,您需要在管道中进行身份验证之前使用CookieAuthentication中间件。
工作原理:
首次成功验证并添加自定义声明后,声明将转换为某种身份验证Cookie并发送回客户端。后续请求将携带此身份验证cookie。查找auth cookie的CookieAuthentication中间件会将Thread.CurrentPriciple设置为从cookie获取的声明。
在cookie中间件确实看到任何auth cookie的第一次请求期间,它会将请求传递给管道中的下一个中间件(在您的情况下为身份验证)以挑战用户登录。
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = "Cookies",
AuthenticationMode= AuthenticationMode.Active,
CookieName="XXXXX",
CookieDomain= _cookiedomain,
/* you can go with default cookie encryption also */
TicketDataFormat = new TicketDataFormat(_x509DataProtector),
SlidingExpiration = true,
CookieSecure = CookieSecureOption.Always,
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = _clientID,
Authority = _authority,
RedirectUri = _redirectUri,
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = SecurityTokenValidated,
AuthenticationFailed = (context) =>
{
/* your logic to handle failure*/
}
},
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidIssuers = _validIssuers,
ValidateIssuer = _isValidIssuers,
}
});
编辑:(附加信息)
几乎上面的确切代码也适用于ws联合,具有相同的逻辑和所有内容。
SecurityTokenValidated = notification =>
{
ClaimsIdentity identity = notification.AuthenticationTicket.Identity;
string[] roles = { "Role1", "Role2" };
foreach (var role in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
return Task.FromResult(0);
}
答案 1 :(得分:0)
您需要使用AuthenticationType
中使用的相同Startup.ConfigureAuth
。例如:
在Startup.ConfigureAuth
:
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
//....
});
在您的登录代码中(问题中提供):
var identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
或确保User.Identity
具有相同的AuthenticationType
,并且您可以像以前那样使用它:
var identity = new ClaimsIdentity(User.Identity);
现在重要的一点是,对于登录,您应该在使用之前添加声明,而不是之后。像这样:
HttpContext.GetOwinContext().Authentication.SignIn(identity);
您可以在登录后添加声明,但您将在创建后立即修改Cookie,这效率不高。如果在某些其他代码中您需要修改声明,那么您可以使用类似于代码的内容,但必须从Current
获取上下文:
HttpContext.Current.GetOwinContext().Authentication.AuthenticationResponseGrant =
new AuthenticationResponseGrant(new ClaimsPrincipal(identity),
new AuthenticationProperties { IsPersistent = true });
因此,您只需像上面一样添加Current
即可修改代码,但这对于登录代码效率不高,最好将声明传递给SignIn
函数。< / p>
答案 2 :(得分:0)
您可以在WEB API C#(SOAP),(存储过程)中执行以下操作
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
LoginModel model = new LoginModel();
//validate user credentials and obtain user roles (return List Roles)
//validar las credenciales de usuario y obtener roles de usuario
var user = model.User = _serviceUsuario.ObtenerUsuario(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "El nombre de usuario o la contraseña no son correctos.cod 01");
return;
}
var stringRoles = user.Roles.Replace(" ", "");//It depends on how you bring them from your DB
string[] roles = stringRoles.Split(',');//It depends on how you bring them from your DB
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
foreach(var Rol in roles)
{
identity.AddClaim(new Claim(ClaimTypes.Role, Rol));
}
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Email, user.Correo));
identity.AddClaim(new Claim(ClaimTypes.MobilePhone, user.Celular));
identity.AddClaim(new Claim("FullName", user.FullName));//new ClaimTypes
identity.AddClaim(new Claim("Empresa", user.Empresa));//new ClaimTypes
identity.AddClaim(new Claim("ConnectionStringsName", user.ConnectionStringsName));//new ClaimTypes
//add user information for the client
var properties = new AuthenticationProperties(new Dictionary<string, string>
{
{ "userName",user.NombreUsuario },
{ "FullName",user.FullName },
{ "EmpresaName",user.Empresa }
});
//end
var ticket = new AuthenticationTicket(identity, properties);
context.Validated(ticket);
}