更改后强制ASP.Net声明验证
[英]Force ASP.Net claims validation after they have been changed
问题描述
I'm developing an ASP.Net application with OWIN and currently I have a problem with claims. 
我正在用OWIN开发ASP.Net应用程序,目前我对索赔有疑问。 I have two levels of application: basic and advanced. 我有两个级别的应用程序:基本和高级。 Some features are available for advanced users only. 某些功能仅适用于高级用户。 So I check claims, and if user doesn't have claim advanced I return 403. But here I found the workaround which ruins this system: 因此,我检查了索赔,如果用户没有提出advanced索赔,则返回403。但是在这里,我发现了变通方法,该系统使该系统崩溃了:
- User activates advanced mode 用户激活高级模式
- He performs any action and save its access token 他执行任何操作并保存其访问令牌
- He disactivates advanced mode 他停用了高级模式
- Now he's able to perform actions just like he is in advanced mode with this token, however he actually has not permissions to do it. 现在,他可以像使用此令牌处于高级模式一样执行操作,但是实际上他没有执行此操作的权限。
I'm trying to find some fine solution for this situation but I have no ideas except set 1 minute timeout or always check AspNetUserClaims instead of cookie and so on, but they don't work in my case because he can activate a lifetime feature in this one minute interval and then use it forever. 我正在尝试为这种情况找到一些好的解决方案,但是除了set 1 minute timeout或always check AspNetUserClaims instead of cookie之外,我没有其他想法,但是在我的情况下它们不起作用,因为他可以激活以下功能:间隔一分钟,然后永久使用。
But i'd like to set some server-side flag like oops, this guy have just changed his cookies, check it from database or something to lower database roundtrips for common API calls. 但是我想设置一些服务器端标志,例如oops, this guy have just changed his cookies, check it from database或者oops, this guy have just changed his cookies, check it from database以降低通用API调用的数据库往返次数。
Is there any standard default way to do it? 是否有任何标准的默认方法? Or maybe I have just chosen a wrong instrument? 或者也许我只是选择了错误的乐器?
2 个解决方案
解决方案1
0 2017-10-06 10:13:52
You Need to send update cookies according to your claim value. 您需要根据您的索赔价值发送更新cookie。
Below is code to update your claim value. 以下是更新您的索赔价值的代码。
Inside your action when user disable/enable advanced mode, Then update user claims . 当用户禁用/启用高级模式时在您的操作内,然后更新用户claims 。
var isAdvanced= "1";
var identity = (ClaimsIdentity)User.Identity;
// check if claim exist or not.
var existingClaim = identity.FindFirst("IsAdvanced");
if (existingClaim != null)
identity.RemoveClaim(existingClaim);
// add/update claim value.
identity.AddClaim(new Claim("IsAdvanced", isAdvanced));
IOwinContext context = Request.GetOwinContext();
var authenticationContext = await context.Authentication.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie);
if (authenticationContext != null)
{
authenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant(identity,authenticationContext.Properties);
}
As soon as you will made a redirection, you will get your get updated claim value, hence you don't need to make database round trip. 重定向后,您将获得更新的声明值,因此无需进行数据库往返。
解决方案2
0 已采纳 2018-01-16 14:03:04
Unfortunly, the only way I found is actually query DB itself and check if user has valid credentials: 不幸的是,我发现的唯一方法实际上是查询数据库本身,并检查用户是否具有有效的凭据:
public bool HasRequiredClaims(string[] requiredClaims)
{
using (var context = new ApplicationDbContext())
{
int actualNumberOfClaims = context.Users
.SelectMany(x => x.Claims)
.Count(c => requiredClaims.Contains(c.ClaimValue)); // claim values are unique per user (in my case) so I don't have to filter on user
return actualNumberOfClaims == claimsValuesToSearch.Length;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.