在 ASP.Net 应用程序上结合 ADFS 身份验证和 JWT Bearer
[英]Combine ADFS Authentication and JWT Bearer on ASP.Net Application
问题描述
I have a web API written in ASP.NET and frontend written in Angular.
我有一个用 ASP.NET 编写的 Web API 和用 Angular 编写的前端。 Authentication on the API side can be configured to use either Windows Authentication, ADFS Authentication or JWT Bearer. API 端的身份验证可以配置为使用 Windows 身份验证、ADFS 身份验证或 JWT 承载。 But for a particular deployment, only one type of authentication is supported.但对于特定部署,仅支持一种类型的身份验证。
For the ADFS authentication I am using angular-oauth2-oidc on the Angular side.对于 ADFS 身份验证,我在 Angular 一侧使用了angular-oauth2-oidc 。
On the API side, this is how I am configuring the ADFS authentication in the startup.cs file.在 API 方面,这就是我在startup.cs文件中配置 ADFS 身份验证的方式。
public void ConfigureAuth(IAppBuilder app)
{
app.UseActiveDirectoryFederationServicesBearerAuthentication
(new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
BackchannelCertificateValidator = new CertificateValidator(),
MetadataEndpoint = System.Configuration.ConfigurationManager.AppSettings["ida:ADFSMetadata"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = System.Configuration.ConfigurationManager.AppSettings["ida:Audience"],
ValidIssuer = System.Configuration.ConfigurationManager.AppSettings["ida:ValidIssuer"]
},
Provider = new OAuthBearerAuthenticationProvider()
{
OnValidateIdentity = async context =>
{
var identity = context.Ticket.Identity;
var emailAddress = identity.FindFirst(ClaimTypes.Email).Value;
using (AuthRepository repo = new AuthRepository())
{
var userManager = repo.GetUserManager();
var aspNetUser = userManager.FindByEmailAsync(emailAddress).GetAwaiter().GetResult();
if (aspNetUser != null)
{
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, aspNetUser.Id));
await ProfileManager.AddClaimsToIdentity(identity, aspNetUser.SelectedProfile);
}
}
}
}
});
}
What I want is to combine ADFS authentication with JWT Bearer in such a way that if the entered email address is associated with my company domain like "email@mycompany.com", it authenticates against the ADFS and if it's any other email, it uses JWT Bearer authentication.我想要的是将 ADFS 身份验证与 JWT Bearer 相结合,如果输入的电子邮件地址与我的公司域(如“email@mycompany.com”)相关联,则它会针对 ADFS 进行身份验证,如果是任何其他电子邮件,它会使用JWT 承载身份验证。
I know different type of authentications can be combined in ASP.NET Core (example here ) but my API is not built using the Core.我知道可以在 ASP.NET Core 中组合不同类型的身份验证( 此处的示例),但我的 API 不是使用 Core 构建的。
I have tried to find the same feature for ASP.NET but I couldn't find one.我试图为 ASP.NET 找到相同的功能,但我找不到。 I would like to know if this is possible to achieve and if yes, I will really appreciate if someone can give me a pointer.我想知道这是否可以实现,如果可以,如果有人能给我指点,我将不胜感激。
1 个解决方案
解决方案1
0 2020-02-18 08:38:23
On this question:关于这个问题:
What I want is to combine ADFS authentication with JWT Bearer in such a way that if the entered email address is associated with my company domain like "email@mycompany.com", it authenticates against the ADFS and if it's any other email, it uses JWT Bearer authentication.
As far as I know, it is possible.据我所知,这是可能的。
Have you tried Microsoft Identity Platform?您是否尝试过 Microsoft 身份平台? This is a specific Azure SDK for managing identities, including support for ADFS 3.0 in Windows Server 2012 and later.这是用于管理身份的特定 Azure SDK,包括对 Windows Server 2012 及更高版本中的 ADFS 3.0 的支持。 It is also easier to use, because this MIcrosoft Identity Platform is using OpenIDConnect with OAuth 2.0, therefore you can use ADFS that has JWT bearer.它也更易于使用,因为此 MIcrosoft Identity Platform 使用 OpenIDConnect 和 OAuth 2.0,因此您可以使用具有 JWT 承载的 ADFS。
This is the official docs page: https://docs.microsoft.com/en-us/azure/active-directory/develop/这是官方文档页面: https : //docs.microsoft.com/en-us/azure/active-directory/develop/
The landing page has various samples for you to get started.登陆页面有各种示例供您入门。 Since you are using .NET Core, the Microsoft Identity Platform SDK has sample that you can use is the sample using .NET Core: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp由于您使用的是 .NET Core,Microsoft Identity Platform SDK 有您可以使用的示例是使用 .NET Core 的示例: https : //docs.microsoft.com/en-us/azure/active-directory/develop/quickstart -v2-aspnet-core-webapp
This is a github repo that contains various sample beside that tutorial: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2这是一个 github 存储库,其中包含该教程旁边的各种示例: https : //github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
UPDATE 1: Current documentation of ADFS in Windows Server 2016 only shows support for OAuth2/OpenIDConnect, and it is using JWT Bearer: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-concepts更新 1:Windows Server 2016 中 ADFS 的当前文档仅显示对 OAuth2/OpenIDConnect 的支持,并且它使用的是 JWT Bearer: https ://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ 开发/ad-fs-openid-connect-oauth-concepts
I have searched for specific "ADFS Bearer Token Authentication" in the MS official documentation, and it's not available at all.我在MS官方文档中搜索了特定的“ADFS Bearer Token Authentication”,完全没有。 All of the current doc is mentioning about ADFS 3.0 and later (including ADFS in Windows Server 2016 and 2019) is using OAuth2/OpenIDConnect.当前的所有文档都提到 ADFS 3.0 及更高版本(包括 Windows Server 2016 和 2019 中的 ADFS)正在使用 OAuth2/OpenIDConnect。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.