I'm building a custom ASP.NET Identity 2.0 implementation that uses our own data model, another ORM, other business logic, etc. By default, a user is logged in by setting the ApplicationCookie
, after which the AuthorizeAttribute
recognizes the cookie and logs the user in. For our own implementation, I want to add more ways to log in. For example:
In all these scenarios the user must be logged in, but what actions the user is allowed to perform depends on the way he logged in. For example: when the user logged in using a 'password reset token', he may change his password but not do anything else. When the user logged in with 'username + password', he may do basically everything, except for the actions that need a higher permission level (where the two-factor methods come in play). In order to do this, I want to build a custom AuthorizeAttribute
that checks what login method was used, and then decides whether the user may perform the action or not.
The problem I'm facing is that I can set other cookies than ApplicationCookie
(eg the TwoFactorCookie
that is being set by going through the SMS process), but those cookies are not recognized as authentication cookies. Thus, when I have a TwoFactorCookie
, I can't use that cookie to log in. Only having an ApplicationCookie
results in a log in.
The issues I'm struggling with:
ApplicationCookie
to log in or can I use custom cookies to log in as well (so for example I can log in using ApplicationCookie
, TwoFactorCookie
and XYZCookie
? CookieAuthenticationMiddleware
? As far as I know, the only thing that has to be done is set a cookie, and flag it with the correct authentication method so I can see how the user was logged in. Edit:
As per Hao Kung's suggestion I made a couple of extension methods that look like this:
public static void UseSmsSignInCookie(this IAppBuilder app, TimeSpan expires)
{
if (app == null)
throw new ArgumentNullException("app");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = ApplicationAuthenticationTypes.Sms,
AuthenticationMode = AuthenticationMode.Passive,
CookieName = CookiePrefix + ApplicationAuthenticationTypes.Sms,
ExpireTimeSpan = expires,
});
}
I try to log someone in by calling AuthenticationManager.SignIn
with a custom ClaimsIdentity
that has my custom AuthenticationType (SMS). This doesn't work though: after calling SignIn, the result of HttpContext.Current.User.Identity.AuthenticationType
still equals ApplicationCookie
. The cookie has been set as expected though.
Does anyone have an idea what I'm missing?
因此,每个CookieMiddleware实例基本上代表一个auth cookie,如果您想要多个cookie,则可以添加多个cookieMiddleware并检索到cookie的ClaimsIdentity映射,您只需要在AuthenticationManager上调用Authenticate并将AuthenticationType传递给您想要的Cookie。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.