堆栈内存溢出
  简体   繁体   English

使用ASP.NET Core Web应用程序和.NET Core API进行ADFS单点登录

[英]ADFS single-sign on with ASP.NET Core web app and .NET Core API

 原文  2018-07-23 19:29:26       c#/ .net/ asp.net-core/ .net-core

问题描述

I have a .NET Core application consisting of a web front-end written as a single page app in React JS and backed by a .NET Core API services app to supply it's data. 我有一个.NET Core应用程序,该应用程序由Web前端组成,该Web前端在React JS中编写为单页应用程序,并由.NET Core API服务应用程序支持以提供其数据。 They're deployed as separate applications in IIS so the urls are like this. 它们作为独立的应用程序部署在IIS中,因此URL像这样。 

https://example.com/FooBar
https://example.com/FooBarAPI

I've been tasked with integrating the FooBar site with our corporate SSO which uses SAML and authenticates against ADFS. 我的任务是将FooBar网站与使用SAML并针对ADFS进行身份验证的公司SSO集成在一起。 They've provided me with a metadata xml file from ADFS that as I understand it this metadata contains all the details I need to put in my web.config to get this working. 他们为我提供了来自ADFS的元数据xml文件,据我所知,该元数据包含我需要放入web.config中才能运行的所有详细信息。 I've found some good examples on stackoverflow for getting the FooBar site protected from unauthorized access and working with SSO. 我在stackoverflow上找到了一些很好的示例,这些示例可以保护FooBar网站免受未经授权的访问并与SSO一起使用。

But what about the API app that the javascript needs to call? 但是JavaScript需要调用的API应用程序呢? How does that piece of the puzzle fit? 那个难题如何解决? How does the API know that the JS client is part of the same app/user and that they are authenticated to make requests for data? API如何知道JS客户端是同一应用程序/用户的一部分,并且已通过身份验证以请求数据?

1 个解决方案

解决方案1
 3  2018-07-23 20:50:47

How does the API know that the JS client is part of the same app/user and that they are authenticated to make requests for data? API如何知道JS客户端是同一应用程序/用户的一部分,并且已通过身份验证以请求数据?

Client registration identifies the JS client. 客户端注册标识JS客户端。 The implicit flow and its resultant id_token identifies the end-user. 隐式流及其结果id_token标识最终用户。

These are the very high level steps: 这些是非常高级的步骤:

  1. Register the JS client (the public client). 注册JS客户端(公共客户端)。
  2. From the JS client, use the ADFS implicit flow to fetch an end-user id_token . 从JS客户端,使用ADFS隐式流来获取最终用户id_token
  3. From the JS client, call your API with the id_token . 从JS客户端,使用id_token调用您的API。

This documentation appears to match your use case reasonably well and provides a high level overview: 该文档似乎可以很好地匹配您的用例,并提供高层次的概述:

...when the user signs in, the JavaScript front end uses Active Directory Authentication Library for JavaScript (ADAL.JS) and the implicit authorization grant to obtain an ID token (id_token) from Azure AD. ...当用户登录时,JavaScript前端使用JavaScript的Active Directory身份验证库(ADAL.JS)和隐式授权授予从Azure AD获取ID令牌(id_token)。 The token is cached and the client attaches it to the request as the bearer token when making calls to its Web API back end, which is secured using the OWIN middleware. 令牌被缓存,客户端在调用其Web API后端时将其作为承载令牌附加到请求,该令牌使用OWIN中间件进行保护。

在此处输入图片说明

If I were in your shoes, I would first make the demo application from that documentation work with my ADFS tenant. 如果我不知所措,则首先要使该文档中的演示应用程序与我的ADFS租户一起使用。 Then, I would translate its setup to my React/ASP.NET Core app. 然后,我将其设置转换为我的React / ASP.NET Core应用程序。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET Core 3.1:Web API 身份登录 - ASP.NET Core 3.1: Web API identity sign in ASP.NET Core使用ADFS中的范围来授权对Web API的访问 - Asp.NET Core use scopes from ADFS to authorize access to web api 在 ASP.Net 核心上处理 ADFS 响应 - Handle ADFS Response on ASP.Net core 使用entityframework core登录asp.net core app - Sign In in asp.net core app with entityframework core 从控制台应用程序启动 ASP.NET Core Web API - Start ASP.NET Core Web API from a Console App ASP.NET 内核 Web API 应用内多数据库 - ASP.NET Core Web API multi database in app Asp.net 核心 3.1 保护 API 和 web 应用程序 - Asp.net core 3.1 securing API and web app Web API的AuthorizeAttribute(ASP.NET Core 2) - AuthorizeAttribute for Web API (ASP.NET Core 2) ASP.NET Core 2 Web API模型 - ASP.NET Core 2 Web API models Azure上的Asp.Net Core Web API - Asp.Net Core Web API on Azure
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM