[英]Blazor Wasm .Net 5 - Implement both Individual User Accounts and Azure AD Authentication
Below Microsoft documentation explains how to protect a Blazor WASM Hosted app using two different authentication approach.下面的 Microsoft 文档说明了如何使用两种不同的身份验证方法保护 Blazor WASM 托管应用程序。
1. Individual User JWT Authorization(IdentityServer) 1.个人用户JWT授权(IdentityServer)
2. Azure AD Authentication 2. Azure AD认证
There is a need to provide end-user with both options by combining both authentication mechanism in a single app.需要通过在单个应用程序中结合两种身份验证机制来为最终用户提供两种选择。 The user should be able to choose one of the options from the login page.
用户应该能够从登录页面中选择其中一个选项。
The Azure AD option is just to give end-users to SSO experience and besides that, all authorization logic will be handled locally using individual user accounts. Azure AD 选项只是为最终用户提供 SSO 体验,除此之外,所有授权逻辑都将使用个人用户帐户在本地处理。
Once the user is authenticated using the Azure Adoption, there should be a way to link the user with a local ID to handle authorization logic etc.一旦使用 Azure Adoption 对用户进行身份验证,应该有一种方法可以将用户与本地 ID 联系起来以处理授权逻辑等。
I did a lot of online research but I couldn't find a guide or tutorial to implement this.我做了很多在线研究,但我找不到实现这一点的指南或教程。 I tried to implement this by combining the code but I'm stuck with:
我试图通过组合代码来实现这一点,但我坚持:
Blazor Client Code Blazor 客户端代码
public class Program
{
public static async Task Main(string[] args)
{
var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("#app");
builder.Services.AddHttpClient("BlazorWasmIndvAuth.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("BlazorWasmIndvAuth.ServerAPI"));
//OPTION 1
//Azure Ad Authentication
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("api://123456/Api.Access");
});
//OPTION 2
//Individual User JWT authentication
builder.Services.AddApiAuthorization();
await builder.Build().RunAsync();
}
}
The quick answer is that your client application and API's prefers to only have to deal with one authorization server.快速的答案是您的客户端应用程序和 API 更喜欢只需要处理一个授权服务器。 Supporting multiple will be pretty messy.
支持多个将非常混乱。
My proposal is that your applications only deal with IdentityServer, but allow to login To Azure AD (Federated authentication) through IdentityServer.我的建议是您的应用程序只处理 IdentityServer,但允许通过 IdentityServer 登录到 Azure AD(联合身份验证)。 See the ExternalController.cs file in the QuickStartUI in IdentityServer.
请参阅 IdentityServer 中 QuickStartUI 中的 ExternalController.cs 文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.