ASP.NET Core Web API Authentication in Blazor using Active Directory and IIS
[英]ASP.NET Core Web API Authentication in Blazor using Active Directory and IIS
问题描述
Goal: Limit ASP.NET Core Web API endpoint access to users in a given active directory group using a silent login.
目标:使用静默登录限制 ASP.NET 核心 Web API 端点访问给定活动目录组中的用户。
Current Environment: ASP.NET Core Web API and ASP.NET Core Blazor Server applications running on IIS 8.5. Current Environment: ASP.NET Core Web API and ASP.NET Core Blazor Server applications running on IIS 8.5. The applications are on the same server.应用程序位于同一台服务器上。
I have successfully set up windows authentication that works locally in both apps after asking a question here ;在此处提出问题后,我已成功设置 windows 身份验证,该身份验证可在两个应用程序中本地工作; however, the [Authorize] attribute does not work when calling the api through the Blazor app after both apps have been deployed to the IIS production server.但是,在将两个应用程序部署到 IIS 生产服务器后,通过 Blazor 应用程序调用 api 时, [Authorize]属性不起作用。 Again, authorization works great locally while developing, but the app pool's "IIS APPPool" user actually calls the api once deployed, rather than the client user.同样,授权在开发时在本地工作得很好,但应用程序池的“IIS APPool”用户在部署后实际上调用了 api,而不是客户端用户。 The windows user is not being passed from the Blazor app to the api endpoint for authorization on production. windows 用户未从 Blazor 应用程序传递到 api 端点以进行生产授权。
I am completely ignorant to different authentication options.我完全不知道不同的身份验证选项。 Is there an option that would allow me to check my api endpoints against active directory groups of the requesting client user and still allow a silent login?是否有一个选项可以让我根据请求客户端用户的活动目录组检查我的 api 端点并仍然允许静默登录?
2 个解决方案
解决方案1
0 2022-08-05 10:06:47
You can read ROPC flow first.您可以先阅读ROPC 流程。 And please read the Warning message.请阅读警告信息。
You can use username and password to grant access_token and id_token .您可以使用用户名和密码来授予 access_token 和 id_token 。
In your scenario, you can use unique identifiers such as userid to obtain an email account , and then use password for verification.在您的场景中,您可以使用 userid 等唯一标识获取email account ,然后使用密码进行验证。
解决方案2
0 2022-08-16 13:05:20
We did the same thing in our internal application.我们在内部应用程序中做了同样的事情。 The trick is to use a cshtml file which calls HttpContext.SignInAsync诀窍是使用调用HttpContext.SignInAsync的 cshtml 文件
Here is a working example from us:这是我们的一个工作示例:
var eintrag = new DirectoryEntry(GlobalConfig.Configuration.LDAP, Input.Username, Input.Password);
try
{
var _object = eintrag.NativeObject;
DirectorySearcher searcher = new DirectorySearcher(eintrag);
searcher.Filter = $"(SAMAccountName={Input.Username})";
searcher.PropertiesToLoad.Add("cn");
searcher.PropertiesToLoad.Add("memberOf");
searcher.PropertiesToLoad.Add("employeeid");
searcher.PropertiesToLoad.Add("telephonenumber");
searcher.PropertiesToLoad.Add("displayName");
searcher.PropertiesToLoad.Add("mail");
SearchResult result = searcher.FindOne();
if (result != null)
{
// Read all properties you'll need
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, Input.Username),
new Claim("EmployeeId", result.Properties["employeeid"][0].ToString()!),
new Claim("displayName", result.Properties["displayName"][0].ToString()!),
new Claim("password", Input.Password)
};
// Phonenumber claim
try
{
claims.Add(new Claim(ClaimTypes.HomePhone, result.Properties["telephonenumber"][0]?.ToString() ?? String.Empty));
claims.Add(new Claim(ClaimTypes.Email, result.Properties["mail"][0]?.ToString() ?? String.Empty));
}
catch (Exception)
{
}
int propertyCount = result.Properties["memberOf"].Count;
String dn;
int equalsIndex, commaIndex;
for (int propertyCounter = 0; propertyCounter < propertyCount;
propertyCounter++)
{
dn = (String)result.Properties["memberOf"][propertyCounter];
equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
if (-1 == equalsIndex)
{
break;
}
claims.Add(new Claim(ClaimTypes.Role, dn.Substring(equalsIndex + 1, commaIndex - equalsIndex - 1)));
}
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties
{
IsPersistent = Input.RememberMe,
RedirectUri = returnUrl
};
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);
return LocalRedirect(returnUrl);
}
else
{
// Wenn man das LDAP kürzel vor dem Loginnanmen verwendet gibt es zwar keinen Fehler, der User wird aber dennoch nicht gefunden. Login nur mit reinen Anmeldenamen möglich
ModelState.AddModelError("login-error", "Wrong username or password");
}
}
catch (Exception ex)
{
// Catch Errors for local users etc.
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.