問(wèn)題描述

我一直在使用從示例創(chuàng)建的庫(kù)，允許我使用 Azure Active Directory 對(duì) .NET 核心 Web 應(yīng)用程序進(jìn)行身份驗(yàn)證，并利用各種 OpenIdConnectOptions 事件(例如 OnTokenValidated) 向主體添加某些聲明，并將該數(shù)據(jù)添加到類似身份的數(shù)據(jù)庫(kù)中，以便 API 可以根據(jù)其令牌對(duì)調(diào)用者進(jìn)行基于策略的確定.

I have been using a library I created from samples allowing me to authenticate a .NET core web app with Azure Active Directory and to take advantage of the various OpenIdConnectOptions events (e.g. OnTokenValidated) to add certain claims to the principal as well as add that data to an identity-like database so that APIs can make policy-based determinations of the caller based on their token.

但我寧愿使用 Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet 包而不是我的自定義變體，我只是不確定如何訪問(wèn)和訪問(wèn) OpenIdConnectOptions.

But I would just rather use the Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package than my customized variation, I am just not sure how to reach in and access the event on the OpenIdConnectOptions.

我不知道這是否無(wú)法完成，或者我只是沒(méi)有足夠的依賴注入處理來(lái)弄清楚如何做到這一點(diǎn).

I don't know if it's not something that can be done, or I just haven't got enough of a handle on dependency injection to figure out how to do that.

或者我應(yīng)該考慮在流程的不同部分添加聲明等?

Or should I consider adding claims, etc. in a different part of the process?

public static AuthenticationBuilder AddAzureAD(
    this AuthenticationBuilder builder,
    string scheme,
    string openIdConnectScheme,
    string cookieScheme,
    string displayName,
    Action<AzureADOptions> configureOptions) {

    AddAdditionalMvcApplicationParts(builder.Services);
    builder.AddPolicyScheme(scheme, displayName, o => {
        o.ForwardDefault = cookieScheme;
        o.ForwardChallenge = openIdConnectScheme;
    });

    builder.Services.Configure(
        TryAddOpenIDCookieSchemeMappings(scheme, openIdConnectScheme, cookieScheme));

    builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>, AzureADOptionsConfiguration>();

    // They put in their custom OpenIdConnect configuration, but I can't see how to get at the events.
    builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>, OpenIdConnectOptionsConfiguration>();

    builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CookieOptionsConfiguration>();

    builder.Services.Configure(scheme, configureOptions);

    builder.AddOpenIdConnect(openIdConnectScheme, null, o => { });
    builder.AddCookie(cookieScheme, null, o => { });

    return builder;
}

推薦答案

我在這里聚會(huì)可能有點(diǎn)晚了，但我遇到了同樣的問(wèn)題，發(fā)現(xiàn) AzureAD 身份驗(yàn)證中間件的文檔很少.在此處為遇到相同問(wèn)題的其他人添加解決方案.

I might be a little late to the party here, but I've come across the same issue and found that the AzureAD authentication middleware is very sparsely documented. Adding the solution here for others struggling with the same question.

正如您在問(wèn)題的代碼片段底部看到的那樣，AzureAD 提供程序?qū)嶋H上依賴于 OpenIdConnect 和 Cookie 身份驗(yàn)證提供程序，而不是自行實(shí)現(xiàn)任何身份驗(yàn)證邏輯.

As you can see at the bottom of the code snippet in the question, the AzureAD provider actually relies on OpenIdConnect and Cookie auth providers under the hoods, and does not implement any authentication logic itself.

為此，添加了兩個(gè)額外的身份驗(yàn)證方案，分別使用定義為 AzureADDefaults.OpenIdScheme 和 AzureADDefaults.CookieScheme 的名稱.

To accomplish this, two additional authentication schemes are added, using the names defined as AzureADDefaults.OpenIdScheme and AzureADDefaults.CookieScheme, respectively.

(雖然使用 AddAzureAD(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder builder, string scheme, string openIdConnectScheme, string cookieScheme, string displayName, ActionconfigureOptions) 重載).

這反過(guò)來(lái)又允許使用上面的方案名稱配置有效的 OpenIdConnectOptions 和 CookieAuthenticationOptions，包括訪問(wèn) OpenIdConnectEvents.

That, in turn, allows to configure the effective OpenIdConnectOptions and CookieAuthenticationOptions by using the scheme names from above, including access to OpenIdConnectEvents.

查看這個(gè)完整的例子:

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProvider = async ctxt =>
                {
                    // Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State
                    // that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize
                    // parameters sent to the identity provider.
                    await Task.Yield();
                },
                OnMessageReceived = async ctxt =>
                {
                    // Invoked when a protocol message is first received.
                    await Task.Yield();
                },
                OnTicketReceived = async ctxt =>
                {
                    // Invoked after the remote ticket has been received.
                    // Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in.
                    // This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured
                    // with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into
                    // roles, to be persisted in the cookie.
                    if (ctxt.Principal.Identity is ClaimsIdentity identity)
                    {
                        ctxt.Principal.FindAll(x => x.Type == "groups")
                            .ToList()
                            .ForEach(identity.RemoveClaim);
                    }                        
                    await Task.Yield();
                },
            };
        });

        services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
        {
            options.Events = new CookieAuthenticationEvents
            {
                // ...
            };
        });

這篇關(guān)于使用 Authentication.AzureAD.UI 庫(kù)時(shí)實(shí)現(xiàn) OpenIdConnectOptions 事件的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！