問(wèn)題描述
我使用 Razor Pages 框架創(chuàng)建了一個(gè)新的 .net core 3.1.1 Web 應(yīng)用程序.創(chuàng)建應(yīng)用程序時(shí),我將默認(rèn)身份驗(yàn)證設(shè)置為 AzureAd.當(dāng)我運(yùn)行應(yīng)用程序時(shí),身份驗(yàn)證工作得很好.生成的 appsettings 文件如下所示:
I created a new .net core 3.1.1 web application with the Razor Pages framework. When creating the app I set up the default Authentication as AzureAd. When I run the application the authentication works just fine. The generated appsettings file looks like this:
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "myDomain",
"TenantId": "myTenantId",
"ClientId": "myClientId",
"CallbackPath": "/signin-oidc"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"AllowedHosts": "*"
}
我在我的應(yīng)用中創(chuàng)建了一個(gè)新控制器,看起來(lái)非常簡(jiǎn)單,就像:
I created a new controller in my app which looks very simple, just like:
namespace WebApplication1.Controllers
{
public class AccountController : Controller
{
[HttpGet]
public void SignIn()
{
//here comes the logic which checks in what role is the logged User
//the role management stuff will be implemented in the app
}
}
}
這就是我的 Startup.cs 的樣子:
This is how my Startup.cs looks like:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.AddMvc(options =>
{
options.EnableEndpointRouting = false;
});
services.AddRazorPages().AddMvcOptions(options =>{});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
endpoints.MapControllers();
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Account}/{action=SignIn}");
});
}
}
我希望能夠?qū)?AzureAd/CallbackPath 更改為不同于/signin-oidc"的內(nèi)容,例如.我想將其更改為帳戶/登錄.然后我想從 azure 捕獲回調(diào)調(diào)用,并根據(jù)記錄的用戶電子郵件地址修改令牌以添加一些系統(tǒng)角色并根據(jù)用戶角色重定向到適當(dāng)?shù)膬x表板頁(yè)面.管理員和客戶可以有不同的儀表板.
I'd would like to be able to change the AzureAd/CallbackPath to something different than "/signin-oidc" eg. I would like to change it to Account/SignIn. Then I'd like to catch the callback call from azure and based on the logged user email address I'd like to modify the token to add some system roles and make a redirect to the appropriate dashboard page based on the user role. There can be a different dashboard for admin and a client.
所以我嘗試更改 "CallbackPath": "/Account/SignIn" 并且我還更新了 Azure 中的 RedirectURI:
So I tried to change the "CallbackPath": "/Account/SignIn" and I also updated RedirectURI in Azure:
然后我再次運(yùn)行應(yīng)用程序,在 void SignIn() 中設(shè)置斷點(diǎn),我再次登錄,而不是點(diǎn)擊 /Account/SignIn 我剛剛被重定向到主頁(yè),https://localhost:44321.我還嘗試在瀏覽器中手動(dòng)運(yùn)行 https://localhost:44321/Account/SignIn 并看到以下錯(cuò)誤消息:
Then I run the app once again, set a breakpoint in void SignIn(), I signed in once again, and instead of hitting the /Account/SignIn I was just redirected to the main page, the https://localhost:44321.
I also tried to manually run the https://localhost:44321/Account/SignIn in the browser and I saw the following error message:
An unhandled exception occurred while processing the request.
Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.
我試圖檢查 documentation 但我沒(méi)有發(fā)現(xiàn)任何有用的東西.關(guān)于我應(yīng)該怎么做才能讓它發(fā)揮作用的任何想法?干杯
I tried to check if there is something in the documentation but I didn't find anything useful. Any ideas about what should I do to make it work? Cheers
我也使用 Microsoft.AspNetCore.Authentication.AzureAD.UI 框架.
推薦答案
CallbackPath 是服務(wù)器在認(rèn)證過(guò)程中重定向的路徑.它由 OIDC 中間件本身自動(dòng)處理,這意味著我們無(wú)法通過(guò)創(chuàng)建新的控制器/動(dòng)作并將 CallbackPath 設(shè)置為它來(lái)控制邏輯.大致流程如下:
The CallbackPath is the path where server will redirect during authentication. It's automatically handled by the OIDC middleware itself, that means we can't control the logic by creating a new controller/action and set CallbackPath to it . Below is the general process :
在身份驗(yàn)證過(guò)程中,整個(gè)過(guò)程由 OpenID Connect 中間件控制,用戶在 Azure 的登錄頁(yè)面驗(yàn)證憑據(jù)后,Azure Ad 會(huì)將用戶重定向回 OIDC 配置中設(shè)置的應(yīng)用程序重定向 url,以便您獲得授權(quán)代碼(如果使用代碼流)并完成身份驗(yàn)證過(guò)程.身份驗(yàn)證后,用戶將被重定向到重定向 url.
During authentication , the whole process is controlled by OpenID Connect middleware , after user validate credential in Azure's login page ,Azure Ad will redirect user back to your application's redirect url which is set in OIDC's configuration , so that you can get the authorization code(if using code flow) and complete the authentication process . After authentication , user will then be redirected to the redirect url .
基于登錄的用戶電子郵件地址,我想修改令牌以添加一些系統(tǒng)角色并根據(jù)用戶角色重定向到相應(yīng)的儀表板頁(yè)面.管理員和客戶可以有不同的儀表板.
based on the logged user email address I'd like to modify the token to add some system roles and make a redirect to the appropriate dashboard page based on the user role. There can be a different dashboard for admin and a client.
第一件事是你不能修改令牌,你不需要修改它.
The first thing is you can't modify the token and you don't need to modify that .
您可以在 OIDC OWIN 中間件中使用通知事件,該中間件調(diào)用以啟用開(kāi)發(fā)人員對(duì)身份驗(yàn)證過(guò)程的控制.OnTokenValidated 為您提供了修改從傳入令牌獲得的 ClaimsIdentity 的機(jī)會(huì),您可以根據(jù)本地?cái)?shù)據(jù)庫(kù)中的用戶 id 查詢用戶的角色并添加到用戶的聲明中:
You can use notification events in OIDC OWIN Middlerware which invokes to enable developer control over the authentication process . OnTokenValidated offers you the chance to modify the ClaimsIdentity obtained from the incoming token , you can query user's role based on user's id from local database and add to user's claims :
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnTokenValidated = ctx =>
{
//query the database to get the role
// add claims
var claims = new List<Claim>
{
new Claim(ClaimTypes.Role, "Admin")
};
var appIdentity = new ClaimsIdentity(claims);
ctx.Principal.AddIdentity(appIdentity);
return Task.CompletedTask;
},
};
});
然后在控制器中,您可以獲得如下聲明:
Then in controller , you can get the claim like :
var role = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
然后您可以根據(jù)特定聲明過(guò)濾操作.
Then you can filter the actions based on specific claim .
如果您想在身份驗(yàn)證后將用戶重定向到特定的路由/頁(yè)面,請(qǐng)將 url 放入 AuthenticationProperties :
If you want to redirect user to specific route/page after authentication , put the url to AuthenticationProperties :
if (!User.Identity.IsAuthenticated)
{
return Challenge(new AuthenticationProperties() { RedirectUri = "/home/redirectOnRole" } , AzureADDefaults.AuthenticationScheme);
}
在該路徑中,您可以根據(jù)用戶的角色重定向用戶.
And in that path , you can redirect user based on user's role .
這篇關(guān)于在 .net core 3.1.1 Web 應(yīng)用程序中更改 AzureAD 身份驗(yàn)證的 redirectURI 和 CallbackPath的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!