我想创建一个ASP.NET MVC Web应用程序,其中用户身份验证机制基于用户类型。因此,如果单击“个人帐户”,那么他将被重定向到应用程序的登录页面。如果他单击公司帐户,则将其重定向到Azure AD登录页面。实际上,该应用程序将支持基于表单的ASP.NET Identity身份验证和多租户Azure AD身份验证。
在单个ASP.NET MVC Web应用程序中实现这种功能的最佳方法是什么? 具体地说,我需要对Startup类中的中间件代码进行哪些更改?
ASP.NET MVC版本:5.2
.NET Framework :4.7
Visual Studio IDE :2017年社区
作为参考,如果在创建全新的Web应用程序时选择“个人用户帐户”模板,则会得到以下代码:
// For more information on configuring authentication, please visit https://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
// Uncomment the following lines to enable logging in with third party login providers
//app.UseMicrosoftAccountAuthentication(
// clientId: "",
// clientSecret: "");
//app.UseTwitterAuthentication(
// consumerKey: "",
// consumerSecret: "");
//app.UseFacebookAuthentication(
// appId: "",
// appSecret: "");
//app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
//{
// ClientId = "",
// ClientSecret = ""
//});
}
以下是如果我选择Azure AD登录(多个组织)的代码:
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private string graphResourceID = "https://graph.windows.net";
private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
private string authority = aadInstance + "common";
private ApplicationDbContext db = new ApplicationDbContext();
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions { });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
},
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID).Result;
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
context.OwinContext.Response.Redirect("/Home/Error");
context.HandleResponse(); // Suppress the exception
return Task.FromResult(0);
}
}
});
}
private static string EnsureTrailingSlash(string value)
{
if (value == null)
{
value = string.Empty;
}
if (!value.EndsWith("/", StringComparison.Ordinal))
{
return value + "/";
}
return value;
}
答案 0 :(得分:1)
假定您有一个至少命名为Home的控制器或使用owin中间件所需的任何名称。
如果使用个人帐户访问应用程序,则将执行以下操作。
我不打算介绍登录和注销的详细信息,因为我认为您已经实现了它们。
如果要从任何学校或组织帐户登录,您也必须执行以下操作
public void SignIn()
{
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
public void SignOut()
{
// Send an OpenID Connect sign-out request.
HttpContext.GetOwinContext().Authentication.SignOut(
OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
}
public void EndSession()
{
// If AAD sends a single sign-out message to the app, end the user's session, but don't redirect to AAD for sign out.
HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
}
public void UserNotBelongToSystem()
{
// If AAD sends a single sign-out message to the app, end the user's session, but don't redirect to AAD for sign out.
HttpContext.GetOwinContext().Authentication.SignOut(
OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
}
然后是启动类
public partial class Startup
{
}
下面是使用的名称空间。
using Castle.MicroKernel.Registration;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using System.Collections.Generic;
using System.Configuration;
using System.Globalization;
using System.Runtime.Serialization;
using System.Security.Claims;
启动中有一种方法
private static Task RedirectToIdentityProvider(Microsoft.Owin.Security.Notifications.RedirectToIdentityProviderNotification<Microsoft.IdentityModel.Protocols.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
{
string appBaseUrl = arg.Request.Scheme + "://" + arg.Request.Host + arg.Request.PathBase;
arg.ProtocolMessage.RedirectUri = appBaseUrl + "/";
arg.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
arg.ProtocolMessage.Prompt = "login";
if (arg.ProtocolMessage.State != null)
{
var stateQueryString = arg.ProtocolMessage.State.Split('=');
var protectedState = stateQueryString[1];
var state = arg.Options.StateDataFormat.Unprotect(protectedState);
state.Dictionary.Add("mycustomparameter", UtilityFunctions.Encrypt("myvalue"));
arg.ProtocolMessage.State = stateQueryString[0] + "=" + arg.Options.StateDataFormat.Protect(state);
}
return Task.FromResult(0);
}
通过上述操作,您会将自定义值发送给Azure身份验证提供程序,该请求是由您原始生成的。
因为收到响应后,您需要验证这是您将请求重定向到身份提供者进行身份验证
private static Task OnMessageReceived(Microsoft.Owin.Security.Notifications.MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
{
if (notification.ProtocolMessage.State != null)
{
string mycustomparameter;
var protectedState = notification.ProtocolMessage.State.Split('=')[1];
var state = notification.Options.StateDataFormat.Unprotect(protectedState);
state.Dictionary.TryGetValue("mycustomparameter", out mycustomparameter);
if (UtilityFunctions.Decrypt(mycustomparameter) != "myvalue")
throw new System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException();
}
return Task.FromResult(0);
}
以下是在启动时令牌过期的情况下注销或处理用户的方法
private Task AuthenticationFailed(Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
//context.HandleResponse();
//context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
private Task SecurityTokenValidated(Microsoft.Owin.Security.Notifications.SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
string userID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
return Task.FromResult(0);
}
然后,一旦您通过OnMessageReceived方法验证了响应,那么声明就会添加到认证令牌中
private Task AuthorizationCodeReceived(Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
string userID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
var _objUser = Users.CheckIfTheUserExistInOurSystem(userID);//check this in system again your choice depends upone the requiement you have
if (_objUser == null)
{
context.HandleResponse();
// context.OwinContext.Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
context.Response.Redirect("Home/UserNotBelongToSystem");// same mehthod added above as to signout
// throw new System.IdentityModel.Tokens.SecurityTokenValidationException();
}
else
{
_objUser.IsAZureAD = true;// setting true to find out at the time of logout where to redirect
var claims = Users.GetCurrentUserAllClaims(_objUser);//You can create your claims any way you want just getting from other method. and same was used in case of the normal login
context.AuthenticationTicket.Identity.AddClaims(claims);
context.OwinContext.Authentication.SignIn(context.AuthenticationTicket.Identity);
context.HandleResponse();
context.Response.Redirect("Home/Main");
}
}
最后但并非最不重要的一点是,您可以检查用户声明以查看当前登录的用户是否来自Azure,以便重定向到特定的退出页面
if (CurrentUser.IsAZureAD) { LogoutUrl = Url.Content("~/Home/SignOut"); } else { LogoutUrl = Url.Content("~/Home/LogOut");
CurrentUser.IsAZureAD
public class CurrentUser: ClaimsPrincipal
{
public CurrentUser(ClaimsPrincipal principal)
: base(principal)
{
}
public string Name
{
get
{
// return this.FindFirst(ClaimTypes.Name).Value;
return this.FindFirst("USER_NAME").Value;
}
}
public bool IsAZureAD
{
get
{
return Convert.ToBoolean(this.FindFirst("IsAZureAD").Value);
}
}
}