[英]User.Identity.Name is null after federated Azure AD login with aspnetcore 2.2
I've followed AzureAD aspnetcore sample as closely as possible to try and implement Azure AD authentication in our aspnetcore 2.2 webapp.我尽可能地遵循 AzureAD aspnetcore 示例,尝试在我们的 aspnetcore 2.2 webapp 中实现 Azure AD 身份验证。 I am able to login successfully using Azure AD.
我可以使用 Azure AD 成功登录。 However, the user's name is not being displayed AFTER login.
但是,登录后不会显示用户名。
https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp
This value should be read in the view from the User.Identity.Name property.该值应该从 User.Identity.Name 属性的视图中读取。
On further inspection, I can see that the principal claims are being correctly returned to the application.在进一步检查中,我可以看到主要索赔已正确返回到应用程序。 However, for some reason the HttpContext.User object is not correctly populated.
但是,由于某种原因 HttpContext.User 对象未正确填充。 I don't know why this is happening.
我不知道为什么会这样。 When I look at the same value from the sample above, HttpContext is correctly set.
当我从上面的示例中查看相同的值时,HttpContext 设置正确。 For clarification, I have implemented OnSecurityTokenValidated handler and I use this context:
为了澄清起见,我已经实现了 OnSecurityTokenValidated 处理程序并使用了以下上下文:
As can be seen, userPrincipal has the claims as expected.可以看出, userPrincipal 具有预期的声明。
However, the httpContext has no claims.但是,httpContext 没有声明。 Also User.Identity.Name therefore is null:
因此 User.Identity.Name 也为空:
I've tried to carry out a manual signin, but that doesn't work either:我试图进行手动登录,但这也不起作用:
private async Task SignInUser(TokenValidatedContext tokenValidatedContext)
{
var httpContext = tokenValidatedContext.HttpContext;
var userPrincipal = tokenValidatedContext.Principal;
await httpContext.SignOutAsync(AppSettings.CookieName);
await httpContext.SignInAsync(AppSettings.CookieName, userPrincipal,
new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddDays(1),
IsPersistent = false,
AllowRefresh = false
});
}
Update更新
I am setting the NameClaimType as shown above.我正在设置 NameClaimType,如上所示。 The NameClaimType is set in Configure
NameClaimType 在配置中设置
Anyone have any idea what I am doing wrong?任何人都知道我做错了什么?
I am using Visual Studio 2017 & aspnetcore 2.2 libraries.我正在使用 Visual Studio 2017 和 aspnetcore 2.2 库。 I've upgraded Microsoft.Identity.Client to 2.7
我已将 Microsoft.Identity.Client 升级到 2.7
Do you set the NameClaimType
in OpenIdConnectOptions
configuration:您
NameClaimType
在OpenIdConnectOptions
配置中设置了NameClaimType
:
options.TokenValidationParameters = new TokenValidationParameters() { NameClaimType = "name" };
To test the scenario , i create a new asp.net core 2.2 application with default MVC template :为了测试场景,我使用默认的 MVC 模板创建了一个新的 asp.net core 2.2 应用程序:
MSALSessionCache
, AzureAdB2COptions
, OpenIdConnectOptionsSetup
from the code sampleMSALSessionCache
、 AzureAdB2COptions
、 OpenIdConnectOptionsSetup
Startup.cs
and appsettings.json
based on code sample's configuration .Startup.cs
和appsettings.json
。 I haven't create my own application & Api , just use fabrikamb2c
domain as code sample provides , even though some method is obsolete in .net core 2.2 , for example , cache.HasStateChanged
.我还没有创建自己的应用程序和 Api,只是使用
fabrikamb2c
域作为代码示例提供,即使某些方法在 .net core 2.2 中已过时,例如cache.HasStateChanged
。 The authecation still works and get correct name with User.Identity.Name
, HttpContext.User.Claims
also be set :身份验证仍然有效并使用
User.Identity.Name
获得正确的名称, HttpContext.User.Claims
也被设置:
You might provide more detiails to help reproduce your issue .您可以提供更多详细信息以帮助重现您的问题。
I think I've got the answer to this, although it leads to new questions.我想我已经得到了答案,尽管它会导致新的问题。
Basically, our code uses Identity as well as AzureADB2C.基本上,我们的代码使用 Identity 和 AzureADB2C。 The Identity is conflicting with the AzureADB2C login process.
标识与 AzureADB2C 登录过程发生冲突。 Login is successful and the token is being returned, but on return it is somehow being erased by Identity.
登录成功并且正在返回令牌,但在返回时它以某种方式被 Identity 擦除。
This is the code that I have in Startup.cs:这是我在 Startup.cs 中的代码:
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAdB2C(options => Configuration.Bind("Authentication:AzureAdB2C", options))
.AddCookie();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.Configure<ApiBehaviorOptions>(options =>
{
options.InvalidModelStateResponseFactory = ctx => new ValidationProblemDetailsResult();
});
services.AddOptions();
ConfigureMvc(services);
// Add Identity services to the services container.
services.SetupIdentity();
SetupIdentity is an extension method that contains the following: SetupIdentity 是一个扩展方法,包含以下内容:
services.AddIdentity<ApplicationUser, ApplicationRole>(o => {
o.Password.RequiredLength = 8;
o.Password.RequireDigit = true;
o.Password.RequireLowercase = true;
o.Password.RequireUppercase = true;
o.Password.RequireNonAlphanumeric = true;
})
.AddEntityFrameworkStores<ApplicationContext>()
.AddDefaultTokenProviders()
.AddUserStore<UserStore<ApplicationUser, ApplicationRole, ApplicationContext, Guid>>()
.AddRoleStore<RoleStore<ApplicationRole, ApplicationContext, Guid>>();
The idea is that AAD will be used for authentication, and local Identity roles will be used for giving the user various permissions on the app.这个想法是 AAD 将用于身份验证,本地身份角色将用于为用户提供应用程序的各种权限。 Based on this issue, looks like we will have to rethink our security.
基于这个问题,看起来我们将不得不重新考虑我们的安全性。
The question is, can AAD and Identity really not be used together?问题是,AAD和Identity真的不能一起用吗? I'd want a scenario where a user id from AAD is returned, stored in local sql, and then this user id used in the local database to connect the user to variable entities.
我想要一个场景,其中返回来自 AAD 的用户 ID,存储在本地 sql 中,然后在本地数据库中使用此用户 ID 将用户连接到可变实体。 If AAD and Identity can't be used together, what is the alternative?
如果 AAD 和 Identity 不能一起使用,有什么替代方法? Ie what's the best way to connect an AAD user to a local database?
即,将 AAD 用户连接到本地数据库的最佳方式是什么? Can anyone point me to some MS articles that discuss this?
谁能指点我一些讨论这个的 MS 文章?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.