IdentityServer4取代Asp.net 4.5 MVC5 SimpleMembership进行身份验证

时间:2019-06-27 00:08:13

标签: asp.net-mvc-5 identityserver4 simplemembership

我有一个使用SimpleMembership在应用程序中进行身份验证和授权的Asp.net 4.5 MVC5应用程序。现在,我需要集成以使用外部IdentityServer4进行身份验证。我试图将OWIN启动文件添加到项目中,并在web.config中关闭标准IIS身份验证。现在,我可以重定向到IDServer进行登录和同意。

到达视图时发生问题:

错误消息:

  

未找到名称为“”的用户。说明:   当前Web执行期间发生未处理的异常   请求。请查看堆栈跟踪以获取有关   错误及其在代码中的起源。

     

异常详细信息:System.InvalidOperationException:找不到用户   发现名称为“”。

     

源错误:

     

第15行:@if(模型!=空)第16行:{第17行:
  foreach(模型中的变量声明)第18行:{第19行:
  

@ claim.Type

     

源文件:   e:\ GitHub \ CRURepoPostBR20190607_IS4 \ CRU_Build \ Suite \ Views \ Home \ IS4Auth.cshtml   行:17

     

堆栈跟踪:[InvalidOperationException:找不到用户   名称为“”。]
  WebMatrix.WebData.SimpleRoleProvider.GetRolesForUser(字符串用户名)   +498 System.Web.Security.RolePrincipal.GetRoles()+215 System.Web.Security.d__4.MoveNext()+58
  System.Security.Claims.d__51.MoveNext()+253
  System.Security.Claims.d__37.MoveNext()+209

我的IdentityServer是IdentityServer4快速入门示例的克隆。我的MVC5应用程序很旧,并且使用SimpleMembership进行身份验证和角色授权。我手动添加了OWIN Startup.cs,请参见下面的代码。

我尝试将IdentityServer https://demo.identityserver.io用作IDServer并遇到相同的问题。这证明我的IDServer没问题。

我尝试创建一个没有SimpleMembership的简单的单独的Asp.net 4.5 MVC5项目,但没有收到错误。

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "oidc",
            SignInAsAuthenticationType = "Cookies",
            ClientSecret = "secret",

            //Authority = "http://localhost:5000", //ID Server
            Authority = "https://demo.identityserver.io", //ID Server
            RequireHttpsMetadata = false,
            RedirectUri = "http://localhost:58018/signin-oidc",
            //RedirectUri = "http://localhost:58018/",
            //ClientId = "myOldMvc",
            ClientId = "server.hybrid",

            ResponseType = "id_token code",
            Scope = "openid profile",
        });
        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
    }
}

以下是显示索赔的视图:

@model IEnumerable<System.Security.Claims.Claim>

@{
    ViewBag.Title = "IS4Auth";
}

<h2>IS4Auth</h2>

<dl>

    @if (Model != null)
    {
        foreach (var claim in Model)
        {
            <dt>@claim.Type</dt>
            <dd>@claim.Value</dd>
        }
    }
</dl>

这是我与system.web和system.webServer配置相关的部分

<system.web>
    <httpModules>
      <add name="ar.sessionscope" type="Castle.ActiveRecord.Framework.SessionScopeWebModule, Castle.ActiveRecord.web" />
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
    </httpModules>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" maxRequestLength="1048576" />
    <!--Change for IS4Authentication-->
    <authentication mode="None" />
    <!--<authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" />
    </authentication>-->
    <!--<roleManager enabled="true" defaultProvider="simple">
      <providers>
        <clear />
        <add name="simple" type="WebMatrix.WebData.SimpleRoleProvider,WebMatrix.WebData" />
      </providers>
    </roleManager>
    <membership defaultProvider="simple">
      <providers>
        <clear />
        <add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider,WebMatrix.WebData" enablePasswordReset="true" requiresQuestionAndAnswer="false" />
      </providers>
    </membership>-->
    <pages>
      <namespaces>
        <add namespace="System.Web.Helpers" />
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Optimization" />
        <add namespace="System.Web.Routing" />
        <add namespace="System.Web.WebPages" />
      </namespaces>
    </pages>
    <httpHandlers>
      <add verb="*" path="routes.axd" type="AttributeRouting.Web.Logging.LogRoutesHandler, AttributeRouting.Web" />
      <add verb="POST,GET,HEAD" path="elmah" type="Elmah.ErrorLogPageFactory, Elmah" />
    </httpHandlers>
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
      <add name="Elmah" verb="POST,GET,HEAD" path="elmah" type="Elmah.ErrorLogPageFactory, Elmah" />
    </handlers>
    <modules>
      <!--Change for IS4Authentication-->
      <remove name="FormsAuthentication" />
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
    </modules>
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="X-UA-Compatible" value="IE=Edge" />
      </customHeaders>
    </httpProtocol>

  </system.webServer>

这是添加到OpenIdConnectAuthenticationOptions的通知代码

    Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthorizationCodeReceived = async n =>
                    {
                        // use the code to get the access and refresh token
                        var tokenClient = new TokenClient(
                            "http://localhost:5000/connect/token",
                            //"server.hybrid",
                            "myApp",
                            "secret");

                        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);

                        if (tokenResponse.IsError)
                        {
                            //throw new Exception(tokenResponse.Error);
                            throw new AuthenticationException(tokenResponse.Error);
                        }

                        // use the access token to retrieve claims from userinfo
                        var userInfoClient = new UserInfoClient("http://localhost:5000/connect/userinfo");
                        var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

                        // create new identity
                        var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
                        id.AddClaims(userInfoResponse.Claims);
                        var Name = userInfoResponse.Claims.FirstOrDefault(c => c.Type.Equals("Name", StringComparison.CurrentCultureIgnoreCase)).Value;
                        id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                        id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
                        id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                        id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
                        id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));

                        n.AuthenticationTicket = new AuthenticationTicket(
                            new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, JwtClaimTypes.Name, JwtClaimTypes.Role),
                            n.AuthenticationTicket.Properties
                        );

                        List<Claim> _claims = new List<Claim>();
                        _claims.AddRange(new List<Claim>
                        {
                            new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Name),
                            new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",Name)
                        });
                    },

                    RedirectToIdentityProvider = n =>
                    {
                        if (n.ProtocolMessage.RequestType != OpenIdConnectRequestType.Logout)
                        {
                            return Task.FromResult(0);
                        }

                        var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                        if (idTokenHint != null)
                        {
                            n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                        }

                        return Task.FromResult(0);
                    }
         }  

1 个答案:

答案 0 :(得分:0)

感谢d_f的帮助,我的问题已解决。 解决方案是使用通知从userInfo EndPoint显式检索声明,并将其添加到新的Identity中。请参阅上面的代码,其中包含Notifications = new OpenIdConnectAuthenticationNotifications {}