問題描述
我一直在使用從示例創建的庫,允許我使用 Azure Active Directory 對 .NET 核心 Web 應用程序進行身份驗證,并利用各種 OpenIdConnectOptions 事件(例如 OnTokenValidated) 向主體添加某些聲明,并將該數據添加到類似身份的數據庫中,以便 API 可以根據其令牌對調用者進行基于策略的確定.
I have been using a library I created from samples allowing me to authenticate a .NET core web app with Azure Active Directory and to take advantage of the various OpenIdConnectOptions events (e.g. OnTokenValidated) to add certain claims to the principal as well as add that data to an identity-like database so that APIs can make policy-based determinations of the caller based on their token.
但我寧愿使用 Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet 包而不是我的自定義變體,我只是不確定如何訪問和訪問 OpenIdConnectOptions.
But I would just rather use the Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package than my customized variation, I am just not sure how to reach in and access the event on the OpenIdConnectOptions.
我不知道這是否無法完成,或者我只是沒有足夠的依賴注入處理來弄清楚如何做到這一點.
I don't know if it's not something that can be done, or I just haven't got enough of a handle on dependency injection to figure out how to do that.
或者我應該考慮在流程的不同部分添加聲明等?
Or should I consider adding claims, etc. in a different part of the process?
public static AuthenticationBuilder AddAzureAD(
this AuthenticationBuilder builder,
string scheme,
string openIdConnectScheme,
string cookieScheme,
string displayName,
Action<AzureADOptions> configureOptions) {
AddAdditionalMvcApplicationParts(builder.Services);
builder.AddPolicyScheme(scheme, displayName, o => {
o.ForwardDefault = cookieScheme;
o.ForwardChallenge = openIdConnectScheme;
});
builder.Services.Configure(
TryAddOpenIDCookieSchemeMappings(scheme, openIdConnectScheme, cookieScheme));
builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>, AzureADOptionsConfiguration>();
// They put in their custom OpenIdConnect configuration, but I can't see how to get at the events.
builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>, OpenIdConnectOptionsConfiguration>();
builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CookieOptionsConfiguration>();
builder.Services.Configure(scheme, configureOptions);
builder.AddOpenIdConnect(openIdConnectScheme, null, o => { });
builder.AddCookie(cookieScheme, null, o => { });
return builder;
}
推薦答案
我在這里聚會可能有點晚了,但我遇到了同樣的問題,發現 AzureAD 身份驗證中間件的文檔很少.在此處為遇到相同問題的其他人添加解決方案.
I might be a little late to the party here, but I've come across the same issue and found that the AzureAD authentication middleware is very sparsely documented. Adding the solution here for others struggling with the same question.
正如您在問題的代碼片段底部看到的那樣,AzureAD 提供程序實際上依賴于 OpenIdConnect 和 Cookie 身份驗證提供程序,而不是自行實現任何身份驗證邏輯.
As you can see at the bottom of the code snippet in the question, the AzureAD provider actually relies on OpenIdConnect and Cookie auth providers under the hoods, and does not implement any authentication logic itself.
為此,添加了兩個額外的身份驗證方案,分別使用定義為 AzureADDefaults.OpenIdScheme 和 AzureADDefaults.CookieScheme 的名稱.
To accomplish this, two additional authentication schemes are added, using the names defined as AzureADDefaults.OpenIdScheme and AzureADDefaults.CookieScheme, respectively.
(雖然使用 AddAzureAD(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder builder, string scheme, string openIdConnectScheme, string cookieScheme, string displayName, Action 重載).
這反過來又允許使用上面的方案名稱配置有效的 OpenIdConnectOptions 和 CookieAuthenticationOptions,包括訪問 OpenIdConnectEvents.
That, in turn, allows to configure the effective OpenIdConnectOptions and CookieAuthenticationOptions by using the scheme names from above, including access to OpenIdConnectEvents.
查看這個完整的例子:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = async ctxt =>
{
// Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State
// that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize
// parameters sent to the identity provider.
await Task.Yield();
},
OnMessageReceived = async ctxt =>
{
// Invoked when a protocol message is first received.
await Task.Yield();
},
OnTicketReceived = async ctxt =>
{
// Invoked after the remote ticket has been received.
// Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in.
// This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured
// with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into
// roles, to be persisted in the cookie.
if (ctxt.Principal.Identity is ClaimsIdentity identity)
{
ctxt.Principal.FindAll(x => x.Type == "groups")
.ToList()
.ForEach(identity.RemoveClaim);
}
await Task.Yield();
},
};
});
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.Events = new CookieAuthenticationEvents
{
// ...
};
});
這篇關于使用 Authentication.AzureAD.UI 庫時實現 OpenIdConnectOptions 事件的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!