[英]Using WebApi to authenticate with ADFS
We are trying to create following scenario: 我们正在尝试创建以下场景:
Html page sends ajax request to WebApi asking wheter user has certain user role or not. HTML页面向WebApi发送ajax请求,询问用户是否具有某些用户角色。 WebApi checks from ADFS if user is logged in (if not, WebApi authenticates user).
WebApi从ADFS检查用户是否已登录(如果没有,则WebApi对用户进行身份验证)。 WebApi then reads user roles from ADFS and returns true/false to html page.
然后,WebApi从ADFS读取用户角色并将true / false返回到html页面。
What we have so far: 到目前为止,我们拥有:
Ajax sends Get-request to WebApi. Ajax将Get-request发送到WebApi。 In WebApi we have Authorize-tag, which correctly sends user to ADFS-authentication.
在WebApi中,我们具有Authorize标签,该标签可以正确地将用户发送到ADFS身份验证。 However, after authentication ADFS returns html-page containing saml information to client instead of WebApi.
但是,在身份验证之后,ADFS会将包含saml信息的html-page返回给客户端而不是WebApi。 So now we create another ajax request (post this time) which has received html-page as data.
所以现在我们创建另一个ajax请求(此次发布),它已经收到html-page作为数据。 WebApi then parses this and returns either true/false based on user roles in SAML-response.
WebApi然后解析它并根据SAML响应中的用户角色返回true / false。
Questions: 问题:
Currently used mechanism seems clunky. 目前使用的机制似乎很笨重。 Is this mechanism correct or is there a better way to do this?
这种机制是正确的还是有更好的方法来做到这一点?
If we use method above, is there a possibility that user edits received html-page and gives himself roles that he doesn't really have? 如果我们使用上面的方法,是否有可能用户编辑收到的html-page并给自己没有真正拥有的角色?
Codes: 代码:
Ajax: 阿贾克斯:
var uri = 'api/user';
$(document).ready(function () {
$.ajax({
url: uri,
type: "Get",
success: function (data) {
$.ajax({
url: uri,
type: "POST",
data: data,
success: function (value) {
if (value == true) {
$('#userData').text('You have correct role.');
}
else {
$('#userData').text('You don't have correct role.');
}
},
error: function (jqXHR, textStatus, err) {
window.location.href = "NotLoggedIn.html";
}
})
},
error: function (jqXHR, textStatus, err) {
window.location.href = "NotLoggedIn.html";
}
});
});
Startup.Auth.cs: Startup.Auth.cs:
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
MetadataAddress = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
Wtrealm = ConfigurationManager.AppSettings["ida:Audience"],
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
}
UserController: UserController的:
namespace SSOWebApiSample.Controllers{
[RoutePrefix("api/user")]
public class UserController : ApiController
{
[HttpGet]
[Route("")]
[Authorize]
public IHttpActionResult GetUser()
{
return Ok();
}
[HttpPost]
[Route("")]
public async Task<IHttpActionResult> PostUser()
{
bool isAdditionalInfoAllowedUser = false;
string result = await Request.Content.ReadAsStringAsync();
//Parse result here
return Ok(isAdditionalInfoAllowedUser);
}
}
}
AdalJS will clean this up nicely. AdalJS会很好地清理它。 Please refer to the following:
请参考以下内容:
To make successful CORS Web API calls with ADFS authentication, I found needed to set instance, tenant, clientId, and endpoints members when calling adalAuthenticationService.init() in my Angular app's Config. 为了使用ADFS身份验证成功进行CORS Web API调用,我发现在Angular应用程序的Config中调用adalAuthenticationService.init()时需要设置实例,租户,clientId和端点成员。 See sample two for endpoints example, but replace GUID with URL.
有关端点示例,请参见示例2,但将GUID替换为URL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.