[英]Register a single ASP.NET Core 3.1 application with Azure AD and share authentication with many different ASP.NET 3.1 core applications
I have created one ASP.NET Core 3.1 application and I have implemented Azure AD OpenID Connect based authentication.我创建了一个ASP.NET Core 3.1应用程序,并实现了 Azure AD OpenID Connect基于身份验证。 I want to share this authentication mechanism with other ASP.NET Core 3.1 applications, instead creating this logic with every application.
我想与其他ASP.NET Core 3.1应用程序共享此身份验证机制,而不是为每个应用程序创建此逻辑。 All of the apps will reside on the same IIS server.
所有应用程序都将驻留在同一个 IIS 服务器上。
Would it make sense to pull out the logic within the Startup.cs
code related to Azure AD to one application, consisting just of the Azure AD authentication code, with other apps redirecting to this application for authentication?将与 Azure AD 相关的
Startup.cs
代码中的逻辑提取到一个应用程序中是否有意义,该应用程序仅包含 Azure AD 身份验证代码,其他应用程序重定向到此应用程序进行身份验证? What is the best way to do this?做这个的最好方式是什么? Or should every application be registered explicitly in Azure AD and have their own Azure AD code in the
Startup.cs
file?还是应该在 Azure AD 中明确注册每个应用程序,并在
Startup.cs
文件中拥有自己的 Azure AD 代码? Or do I have to implement on premises Identity Server that is integrated with Azure AD OpenID Connect in some way?或者我是否必须以某种方式实施与 Azure AD OpenID Connect 集成的本地身份服务器?
Jeremy's points are very good, so I would mark his as the accepted answer.杰里米的观点非常好,所以我会将他标记为已接受的答案。 Here is a bit more detail though.
不过,这里有更多细节。
SHARING OIDC PLUMBING共享 OIDC 管道
The usual option is to produce a small shared C# library with the common plumbing, then plug that into each app.通常的选择是使用通用管道生成一个小型共享 C# 库,然后将其插入每个应用程序。
Each app needs to be able to deal with OIDC redirects and responses, along with auth cookies, handling expiry etc.每个应用程序都需要能够处理 OIDC 重定向和响应,以及身份验证 cookies、处理到期等。
STANDARD 'SINGLE SIGN ON' OPTION标准“单点登录”选项
This is the most standard and recommended approach:这是最标准和推荐的方法:
If the user navigates from App A to App B they are redirected but sign on is automatic, due to the Authorization Server Session Cookie, so the experience is seamless.如果用户从 App A 导航到 App B,他们会被重定向但登录是自动的,因为授权服务器 Session Cookie,所以体验是无缝的。
INTEGRATED WEB PLATFORM OPTION集成 WEB 平台选项
In some cases you may want to avoid the extra redirect in the same way as Google does:在某些情况下,您可能希望以与 Google 相同的方式避免额外的重定向:
To implement this in OIDC you could do this:要在 OIDC 中实现这一点,您可以这样做:
Auth cookie properties would include these: Auth cookie 属性将包括以下内容:
I usually recommend against this option though, since it can easily cause more problems over time than it solves:不过,我通常建议不要使用此选项,因为随着时间的推移,它很容易导致比它解决的问题更多的问题:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.