[英]How do the ASP.NET Core 5 OpenIdConnect authentication cookies work in theory?
We are trying to understand how the authentication cookies (ASP.NET Core 5.0 - Microsoft.AspNetCore.Authentication.OpenIdConnect
version 5.0.11) work with the Authorization Code Flow without PKCE.我们正在尝试了解身份验证 cookies(ASP.NET Core 5.0 - Microsoft.AspNetCore.Authentication.OpenIdConnect
版本 5.0.11)如何与没有 PKCE 的授权代码流一起工作。
Auth Process认证过程
The auth process looks like this: the login in the frontend redirects to the login endpoint of the AuthController
and starts the OpenId Connect process. auth 流程如下所示:前端的登录重定向到AuthController
的登录端点,并启动 OpenId Connect 流程。 So you are authenticated by the Identity Provider and the cookies are set for the user.因此,您已通过身份提供者的身份验证,并且为用户设置了 cookies。 Which are sent with every call of the API to check if the request is authenticated.每次调用 API 时都会发送这些信息,以检查请求是否经过身份验证。
3 cookies are created in the process: 3 cookies 在过程中被创建:
Cookie #1:饼干#1:
Cookie #2:饼干#2:
Cookie #3:饼干#3:
Questions问题
.AspNetCore
cookies used for authentication?这些.AspNetCore
cookies 如何用于身份验证?We tried to decrypt the cookie ( How to manually decrypt an ASP.NET Core Authentication cookie? ) to understand how it works but this did not work for us.我们尝试解密 cookie( 如何手动解密 ASP.NET 核心身份验证 cookie? )以了解它是如何工作的,但这对我们不起作用。
Unfortunately, we have not yet found an answer as to how the cookie is generated (with name and value) in theory.不幸的是,理论上我们还没有找到关于 cookie 是如何生成(带有名称和值)的答案。
I hope the questions were understandable and I would appreciate if someone could answer them.我希望这些问题是可以理解的,如果有人可以回答,我将不胜感激。
Code snippets for a better understanding.代码片段以便更好地理解。 Hopefully:)希望:)
AuthController
: AuthController
:
// https://auth0.com/blog/backend-for-frontend-pattern-with-auth0-and-dotnet/
public class AuthController : Controller
{
public ActionResult Login(string returnUrl = "/login")
{
return new ChallengeResult(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties() { RedirectUri = returnUrl });
}
[Authorize]
public async Task<ActionResult> Logout()
{
await HttpContext.SignOutAsync();
return new SignOutResult(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
{
//RedirectUri = Url.Action("Index", "Home")
RedirectUri = "/logout"
});
}
//[Authorize]
public ActionResult GetUser()
{
var jsonReturn = new Dictionary<string, string>();
if (User != null && User.Identity.IsAuthenticated)
{
jsonReturn.Add("isAuthenticated", "true");
foreach (var claim in ((ClaimsIdentity)this.User.Identity).Claims)
{
jsonReturn.Add(claim.Type, claim.Value);
}
return Json(JsonConvert.SerializeObject(jsonReturn));
}
jsonReturn.Add("isAuthenticated", "false");
return Json(JsonConvert.SerializeObject(jsonReturn));
}
}
Startup:启动:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(o =>
{
o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
o.Cookie.SameSite = SameSiteMode.Strict;
o.Cookie.HttpOnly = true;
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => ConfigureOpenIdConnect(options));
}
private void ConfigureOpenIdConnect(OpenIdConnectOptions options)
{
options.Authority = <identity provider url>;
options.ClientId = "<clientId>";
options.ClientSecret = "<clientSecret>";
options.ResponseMode = OpenIdConnectResponseMode.FormPost;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("offline_access");
options.CallbackPath = new PathString("/callback");
options.SaveTokens = true;
options.UseTokenLifetime = false;
}
The.AspNetCore cookie is created by the Cookie authentication handler after the user has successfully authenticated (being challenged) with the OpenIDConnect handler. .AspNetCore cookie 由 Cookie 身份验证处理程序在用户成功通过 OpenIDConnect 处理程序进行身份验证(被质询)后创建。
If The cookie size is to big, then it will be broken up into chunks of 4Kb to make sure the cookies don't get rejected the browser or proxies.如果 cookie 太大,那么它将被分成 4Kb 的块,以确保 cookies 不会被浏览器或代理拒绝。
The data inside the cookies is encrypted using the Data Protection API and with some effort you can decrypt the content of the cookie using the Data Protection aPI. cookies 中的数据使用数据保护 API进行加密,并且通过一些努力,您可以使用数据保护 aPI 解密 cookie 的内容。
the data inside the cookie contains mainly of your ClaimsPrincipal (The user objects) with its various claims. cookie 中的数据主要包含您的 ClaimsPrincipal(用户对象)及其各种声明。 Optionally you can also store your openid-connect tokens inside the cookie.或者,您还可以将您的 openid-connect 令牌存储在 cookie 中。
Hope this answers your questions.希望这能回答你的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.