ASP.NET 核心。 如何在没有身份用户帐户的情况下创建身份验证 cookie?
[英]ASP.NET Core. How can i create an auth cookie without an identity user account?
问题描述
My app creates an Guid Event token
我的应用程序创建了一个Guid Event 令牌
The customer visits the url of the event like so.客户访问事件的url是这样的。 https://example.com/event/a3b2e538-e87c-4444-a655-5171f263ac70 https://example.com/event/a3b2e538-e87c-4444-a655-5171f263ac70
The customer is then redirected to a login form to provide the event password.然后将客户重定向到登录表单以提供活动密码。
If the password maches the event token customer will be able to see the event.如果密码匹配事件令牌,客户将能够看到该事件。 Can i acomblish this without an Identity user account?我可以在没有身份用户帐户的情况下完成这个吗? (I do not wish to follow the classical user identity login approach, in this case). (在这种情况下,我不希望遵循经典的用户身份登录方法)。
Maybe something like creating an auth cookie and use it, in the upcoming requests.也许在即将到来的请求中创建一个 auth cookie 并使用它。
[HttpPost]
[Route("validate/{code}")]
public IActionResult Cookie(string code)
{
var user = true; //Validate event token against event password supplied by user
if (user == true)
{
var ident = _userManager.CreateAuthCookie(user, DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.GetOwinContext().Authentication.SignIn(new AuthenticationProperties { IsPersistent = false }, ident);
return Redirect("Wherever");
}
ModelState.AddModelError("", "Invalid login attempt");
return View();
}
1 个解决方案
解决方案1
1 已采纳 2020-10-24 17:28:53
I guess, I understand your point.我想,我理解你的意思。 You want to create a custom Owin Authentication Framework.您想要创建自定义 Owin 身份验证框架。 The same thing can be achieved using JWT token.使用 JWT 令牌可以实现同样的事情。 It has advantages over OWIN Authentication.它比 OWIN 身份验证具有优势。
But if you want to design something like this using OWIN, Please take care of these:但是如果你想使用 OWIN 设计这样的东西,请注意这些:
- First and most important thing, the parameter passed in the url should not have any password or sensitive value.首先也是最重要的一点,url 中传递的参数不应包含任何密码或敏感值。 The URL token should be encoded (for encoding u can refer https://www.nuget.org/packages/Microsoft.Owin.Security/ ) and that encoded token can carry this information. URL 令牌应该被编码(关于编码你可以参考https://www.nuget.org/packages/Microsoft.Owin.Security/ )并且编码的令牌可以携带此信息。 While encoding, you can encode someID (not email address), some sourcecd (that tells the token is from the valid source), some time limit and how many times that token will be valid.在编码时,您可以编码一些 ID(不是 email 地址)、一些 sourcecd(告诉令牌来自有效来源)、一些时间限制以及该令牌有效的次数。
Now, when you get the call to your API end point, you can decode that token, validate and then extract that someID, and make a call to your DB to understand, if the user is valid.现在,当您收到对 API 端点的调用时,您可以解码该令牌、验证然后提取该 someID,然后调用您的数据库以了解用户是否有效。
Important: Encoding and decoding algorithm plays a very important role here.重要:编码和解码算法在这里起着非常重要的作用。 So, your encoding and decoding token should not be exposed anywhere.因此,您的编码和解码令牌不应暴露在任何地方。
If he is a valid user, then create a claimsIdentity object.如果他是有效用户,则创建 claimsIdentity object。
ClaimsIdentity identity = new ClaimsIdentity();
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identity.FindFirst("sub").Value));
identity.AddClaim(new Claim("Name", <<add your claims like this>>));
identity = new ClaimsIdentity(identity.Claims, "ApplicationCookie");
AuthenticationProperties properties = new AuthenticationProperties();
AuthenticationManager.SignIn(properties, identity);
Setup Authentication class object in your controller or to a seperate file:在您的 controller 或单独的文件中设置身份验证 class object:
using Microsoft.Owin.Security;
private IAuthenticationManager authenticationManager;
public IAuthenticationManager AuthenticationManager
{
get
{
if (authenticationManager == null)
authenticationManager = HttpContext.GetOwinContext().Authentication;
return authenticationManager;
}
set { authenticationManager = value; }
}
You should also have OWIN layer configured in the middlelayer.您还应该在中间层配置 OWIN 层。 You can configure OWIN middle layer based on.Net framework or.Net Core可以基于.Net framework或者.Net Core配置OWIN中间层
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.