使用 Azure AD 注册单个 ASP.NET 核心 3.1 应用程序,并与许多不同的 ASP.NET 3.1 核心应用程序共享身份验证
[英]Register a single ASP.NET Core 3.1 application with Azure AD and share authentication with many different ASP.NET 3.1 core applications
问题描述
I have created one ASP.NET Core 3.1 application and I have implemented Azure AD OpenID Connect based authentication.
我创建了一个ASP.NET Core 3.1应用程序,并实现了 Azure AD OpenID Connect基于身份验证。 I want to share this authentication mechanism with other ASP.NET Core 3.1 applications, instead creating this logic with every application.我想与其他ASP.NET Core 3.1应用程序共享此身份验证机制,而不是为每个应用程序创建此逻辑。 All of the apps will reside on the same IIS server.所有应用程序都将驻留在同一个 IIS 服务器上。
Would it make sense to pull out the logic within the Startup.cs code related to Azure AD to one application, consisting just of the Azure AD authentication code, with other apps redirecting to this application for authentication?将与 Azure AD 相关的Startup.cs代码中的逻辑提取到一个应用程序中是否有意义,该应用程序仅包含 Azure AD 身份验证代码,其他应用程序重定向到此应用程序进行身份验证? What is the best way to do this?做这个的最好方式是什么? Or should every application be registered explicitly in Azure AD and have their own Azure AD code in the Startup.cs file?还是应该在 Azure AD 中明确注册每个应用程序,并在Startup.cs文件中拥有自己的 Azure AD 代码? Or do I have to implement on premises Identity Server that is integrated with Azure AD OpenID Connect in some way?或者我是否必须以某种方式实施与 Azure AD OpenID Connect 集成的本地身份服务器?
1 个解决方案
解决方案1
2 2020-08-16 11:52:48
Jeremy's points are very good, so I would mark his as the accepted answer.杰里米的观点非常好,所以我会将他标记为已接受的答案。 Here is a bit more detail though.不过,这里有更多细节。
SHARING OIDC PLUMBING共享 OIDC 管道
The usual option is to produce a small shared C# library with the common plumbing, then plug that into each app.通常的选择是使用通用管道生成一个小型共享 C# 库,然后将其插入每个应用程序。
Each app needs to be able to deal with OIDC redirects and responses, along with auth cookies, handling expiry etc.每个应用程序都需要能够处理 OIDC 重定向和响应,以及身份验证 cookies、处理到期等。
STANDARD 'SINGLE SIGN ON' OPTION标准“单点登录”选项
This is the most standard and recommended approach:这是最标准和推荐的方法:
- Each app has its own OAuth Client Configuration每个应用程序都有自己的 OAuth 客户端配置
- Each app has its own client_id and redirect_uri每个应用程序都有自己的 client_id 和 redirect_uri
- Each app gets its own OAuth tokens and Auth cookies每个应用程序都有自己的 OAuth 令牌和 Auth cookies
If the user navigates from App A to App B they are redirected but sign on is automatic, due to the Authorization Server Session Cookie, so the experience is seamless.如果用户从 App A 导航到 App B,他们会被重定向但登录是自动的,因为授权服务器 Session Cookie,所以体验是无缝的。
INTEGRATED WEB PLATFORM OPTION集成 WEB 平台选项
In some cases you may want to avoid the extra redirect in the same way as Google does:在某些情况下,您可能希望以与 Google 相同的方式避免额外的重定向:
- User logs in to GMail (mail.google.com) and is redirected用户登录到 GMail (mail.google.com) 并被重定向
- User navigates to Google Drive (drive.google.com)用户导航到 Google Drive (drive.google.com)
- There is no second redirect for the Drive app云端硬盘应用没有第二次重定向
To implement this in OIDC you could do this:要在 OIDC 中实现这一点,您可以这样做:
- Register a single OAuth client for all apps为所有应用注册一个 OAuth 客户端
- Assign multiple redirect and post logout Uris分配多个重定向和注销后 Uris
Auth cookie properties would include these: Auth cookie 属性将包括以下内容:
- Domain =.google.com域=.google.com
- Path = /路径 = /
- Http Only仅 Http
- Secure安全的
- SameSite = strict SameSite = 严格
I usually recommend against this option though, since it can easily cause more problems over time than it solves:不过,我通常建议不要使用此选项,因为随着时间的推移,它很容易导致比它解决的问题更多的问题:
- Cookies and tokens can end up having too many privileges Cookies 和令牌最终可能拥有太多权限
- If an attacker steals a token / cookie they can do more with it如果攻击者窃取了令牌/cookie,他们可以用它做更多事情
- Apps are more likely to impact each other in multiple ways应用程序更有可能以多种方式相互影响
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.