[英]ASP.NET Identity + Bearer Token + Multi-Tenant
I've created a multi-tenant application using Entity Framework, WebAPI, ASP.NET Identity. 我使用Entity Framework,WebAPI和ASP.NET Identity创建了一个多租户应用程序。 Basically it reads the subdomain of the tenant and using it to read the connection string from the database and sets it on runtime.
基本上,它读取租户的子域并使用它从数据库中读取连接字符串并在运行时设置它。
Everything is great, database is creating etc, but the only issue now is the ASP.NET Identity Bearer Token. 一切都很棒,数据库正在创建等,但现在唯一的问题是ASP.NET身份承载令牌。
When I've generated a bearer access token for http://tenant1.#####.com/token , it seems that the token is signed on the same application (no machine key was specified) and it's allowing access to http://tenant2.#####.com controllers as well, which shouldn't be the case as it's different subdomains / tenants. 当我为http://tenant1.#####.com/token生成一个承载访问令牌时,似乎该令牌在同一个应用程序上签名(没有指定机器密钥),它允许访问http ://tenant2.#####.com控制器也是如此,因为它是不同的子域名/租户。
Are there any ways around this? 这有什么办法吗? Or perhaps I should be looking into other Security Framework and not ASP.NET Identity?
或许我应该研究其他安全框架而不是ASP.NET身份?
MVC5 makes it easy to add a tenant name claim to the user identity. MVC5可以轻松地将租户名称声明添加到用户身份。 In the Models directory, edit the
ApplicationUser
class in IdentityModels.cs
: 在Models目录中,编辑
IdentityModels.cs
的ApplicationUser
类:
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Add claim for tenant name
userIdentity.AddClaim(new Claim("tenantName", "abcCompany");
// Add custom user claims here
return userIdentity;
}
Then when an authenticated request is processed, validate that the User contains correct claim and value. 然后,在处理经过身份验证的请求时,验证用户是否包含正确的声明和值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.