[英]Using Identity Server for Authentication with ASP.NET Web App and .NET 6
Our company has custom-built Identity Server, which is used by a few of our web applications for authentication.我们公司有定制的身份服务器,我们的一些 web 应用程序使用它进行身份验证。 I am trying to use our Identity Server with a newly created ASP.NET Core Web App, using the .NET 6 framework.我正在尝试将我们的身份服务器与新创建的 ASP.NET 核心 Web 应用程序一起使用,使用 .NET 6 框架。 I am trying to use the predefined OIDC URLs, without having to write the code myself.我正在尝试使用预定义的 OIDC URL,而不必自己编写代码。
The authentication is mostly working;身份验证主要是有效的; for example, if I add [Authorize] to a certain Razor PageModel, it will automatically redirect to the Authority URL, and then return to that page upon authentication and be logged in.比如我给某个Razor的PageModel添加[Authorize],它会自动重定向到Authority URL,认证成功后返回那个页面登录。
What I am having trouble with is this: I cannot seem to get the automatic sign out to work.我遇到的问题是:我似乎无法让自动注销工作。 I am trying to use either of the predefined OIDC signout URLs (signout-oidc or signout-callback-oidc), but I seem to be missing something.我正在尝试使用任一预定义的 OIDC 注销 URL(signout-oidc 或 signout-callback-oidc),但我似乎遗漏了一些东西。 I am also having trouble finding good sample code or clear documentation to help debug the issue.我也很难找到好的示例代码或清晰的文档来帮助调试问题。
I have also tried using OIDC events - for example "OnSignedOutCallbackRedirect":我也尝试过使用 OIDC 事件——例如“OnSignedOutCallbackRedirect”:
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", async options =>
{
options.Authority = testIdentitySettings.Authority;
options.SignedOutRedirectUri = testIdentitySettings.SignedOutRedirectUri;
options.RequireHttpsMetadata = testIdentitySettings.RequireHttpsMetadata ?? true;
options.ClientId = testIdentitySettings.ClientId;
options.SignInScheme = "Cookies";
options.Scope.Add("roles");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
};
options.Events.OnSignedOutCallbackRedirect = async (context) =>
{
await context.HttpContext.SignOutAsync("Cookies");
var redirUrl = context.Options.SignedOutRedirectUri;
var prop = new AuthenticationProperties
{
RedirectUri = redirUrl
};
await context.HttpContext.SignOutAsync("oidc", prop);
context.Response.Redirect(redirUrl);
context.HandleResponse();
};
});
This almost seems to work.这几乎似乎工作。 It does redirect to my SignedOutRedirectUri (/LoggedOut), and when I check the User on that page, the User.Identity shows IsAuthenticated = false, and has zero claims;它确实重定向到我的 SignedOutRedirectUri (/LoggedOut),当我检查该页面上的用户时,User.Identity 显示 IsAuthenticated = false,并且声明为零; however, if I then load the home page (/), the User.Identity is back as authenticated with all the claims.但是,如果我随后加载主页 (/),则 User.Identity 将恢复为已通过所有声明进行身份验证。
Any help or insight would be appreciated.任何帮助或见解将不胜感激。
For the Logout example, you could refer to the code below.对于注销示例,您可以参考下面的代码。
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Auth0.AspNetCore.Authentication;
public class AccountController : Controller
{
[Authorize]
public async Task Logout()
{
var authenticationProperties = new LogoutAuthenticationPropertiesBuilder()
// Indicate here where Auth0 should redirect the user after a logout.
// Note that the resulting absolute Uri must be added to the
// **Allowed Logout URLs** settings for the app.
.WithRedirectUri(Url.Action("Index", "Home"))
.Build();
await HttpContext.SignOutAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
}
}
If the issue persists, you could try to make tests with the code sample below to reduce the ExpireTimeSpan
in the AddCookie
configuration.如果问题仍然存在,您可以尝试使用下面的代码示例进行测试,以减少AddCookie
配置中的ExpireTimeSpan
。
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(/* ... */)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
});
// ...
}
For more detailed information, please refer to this answer .有关更多详细信息,请参阅此答案。
I would use this to do the signout:我会用它来注销:
[Authorize]
/// <summary>
/// Do the actual logout
/// </summary>
/// <returns></returns>
public async Task DoLogout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}
I don't think you need to use the OnSignedOutCallbackRedirect handler.我认为您不需要使用 OnSignedOutCallbackRedirect 处理程序。
In your case, as you have renamed the schemes, the logout method should be:在您的情况下,由于您已重命名方案,注销方法应为:
[Authorize]
/// <summary>
/// Do the actual logout
/// </summary>
/// <returns></returns>
public async Task DoLogout()
{
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.