[英]ASP.NET OWIN OpenID Connect not creating user authentication
[英]How to set Claims from ASP.Net OpenID Connect OWIN components?
我对使用新的 ASP.Net OpenID Connect 框架并在身份验证管道期间添加新声明有疑问,如下面的代码所示。我不确定幕后发生了多少“魔法”。我认为我的大部分问题都围绕着对 OWIN 身份验证中间件而不是 OpenID Connect 了解太多。
一季度。我应该从OwinContext.Authentication.User<\/code>手动设置
HttpContext.Current.User<\/code>和
Thread.CurrentPrincipal<\/code>吗?
Q2。我希望能够像以前使用
System.IdentityModel.Claims.Claim<\/code>那样向声明添加对象类型。新的
System.Security.Claims.Claim<\/code>类只接受字符串值?
Q3。我是否需要在
System.Security.Claims.CurrentPrincipal<\/code>为我的
ClaimsPrincipal<\/code>使用新的
SessionSecurityToken<\/code>包装器来序列化为 cookie - 我正在使用
app.UseCookieAuthentication(new CookieAuthenticationOptions());<\/code>但现在确定在维护我在
SecurityTokenValidated<\/code>事件期间添加的任何其他声明方面究竟做了什么?
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
// retriever caller data from the incoming principal
var UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
var db = new SOSBIADPEntities();
var user = db.DomainUser.FirstOrDefault(b => (b.EntityName == UPN));
if (user == null)
{
// the caller was not a registered user - throw to block the authentication flow
throw new SecurityTokenValidationException();
}
var applicationUserIdentity = new ClaimsIdentity();
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Name, UPN, ""));
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Sid, user.ID.ToString(CultureInfo.InvariantCulture)));
var applications =
db.ApplicationUser
.Where(x => x.ApplicationChild != null && x.DomainUser.ID == user.ID)
.Select(x => x.ApplicationChild).OrderBy(x => x.SortOrder);
applications.ForEach(x =>
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.System, x.ID.ToString(CultureInfo.InvariantCulture))));
context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);
var hasOutlook = context.OwinContext.Authentication.User.HasClaim(ClaimTypes.System, "1");
hasOutlook = hasOutlook;
HttpContext.Current.User = context.OwinContext.Authentication.User;
Thread.CurrentPrincipal = context.OwinContext.Authentication.User;
var usr = HttpContext.Current.User;
var c = System.Security.Claims.ClaimsPrincipal.Current.Claims.Count();
return Task.FromResult(0);
},
}
}
);
}
您是否有特定原因要添加新的ClaimsIdentity
?
做你的目标是什么的最简单的方法是检索ClaimsIdentity
,是由验证传入令牌生成的,通过ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;
一旦你拥有它,只需添加声明。 其余的中间件将负责在会话cookie中将其与其他所有内容串行化,将结果放在当前的ClaimsPrincipal
,以及您似乎尝试手动执行的所有其他操作。
HTH
V.
执行令牌验证时,您可以直接进行分配:
private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n)
{
var claimsPrincipal = new ClaimsPrincipal(n.AuthenticationTicket.Identity);
// Custom code...
n.OwinContext.Request.User = claimsPrincipal;
return Task.FromResult(0);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.