我要评论题记:在asp.net 5中虽然继续可以沿用asp.net identity来做验证授权,不过也可以很容易集成支持标准协议的第三方服务,比如azure active directory。
其实,在asp.net 5中集成azuread,利用其进行验证和授权,是非常简单的。因为:首先azure active directory提供了oauth2.0、openid connect 1.0、saml和ws-federation 1.2标准协议接口;其次微软在asp.net 5中移植了集成openid connect的owin中间件。所以,只要在asp.net 5项目中引用"microsoft.aspnet.authentication.openidconnect"这个包,并正确配置azuread的连接信息,就可以很容易的进行集成。
大致步骤如下:
1,在config.json文件中添加azuread的配置信息:
"azuread": {
"clientid": "[enter the clientid of your application as obtained from portal, e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
"tenant": "[enter the name of your tenant, e.g. contoso.onmicrosoft.com]",
"aadinstance": "https://login.microsoftonline.com/{0}", // this is the public instance of azure ad
"postlogoutredirecturi": https://localhost:44322/
}
2,修改project.json,引入openidconnect的中间件:
"microsoft.aspnet.authentication.openidconnect": "1.0.0-*"
3,在startup中的configureservices方法里面添加:
// openid connect authentication requires cookie auth
services.configure<externalauthenticationoptions>(options =>
{
options.signinscheme = cookieauthenticationdefaults.authenticationscheme;
});
4,在startup中的configure方法里面添加:
// configure the owin pipeline to use cookie authentication
app.usecookieauthentication(options =>
{
// by default, all middleware are passive/not automatic. making cookie middleware automatic so that it acts on all the messages.
options.automaticauthentication = true;
});
// configure the owin pipeline to use openid connect authentication
app.useopenidconnectauthentication(options =>
{
options.clientid = configuration.get("azuread:clientid");
options.authority = string.format(configuration.get("azuread:aadinstance"), configuration.get("azuread:tenant"));
options.postlogoutredirecturi = configuration.get("azuread:postlogoutredirecturi");
options.notifications = new openidconnectauthenticationnotifications
{
authenticationfailed = onauthenticationfailed,
};
});
5,startup的onauthenticationfailed方法为:
private task onauthenticationfailed(authenticationfailednotification<openidconnectmessage, openidconnectauthenticationoptions> notification)
{
notification.handleresponse();
notification.response.redirect("/home/error?message=" + notification.exception.message);
return task.fromresult(0);
}
6,添加一个名为accountcontroller的controller:
public class accountcontroller : controller
{
// get: /account/login
[httpget]
public iactionresult login()
{
if (context.user == null || !context.user.identity.isauthenticated)
return new challengeresult(openidconnectauthenticationdefaults.authenticationscheme, new authenticationproperties { redirecturi = "/" });
return redirecttoaction("index", "home");
}
// get: /account/logoff
[httpget]
public iactionresult logoff()
{
if (context.user.identity.isauthenticated)
{
context.authentication.signout(cookieauthenticationdefaults.authenticationscheme);
context.authentication.signout(openidconnectauthenticationdefaults.authenticationscheme);
}
return redirecttoaction("index", "home");
}
}
以上代码也可以到我fork的完整示例项目中找到:https://github.com/heavenwing/webapp-openidconnect-aspnet5
【更新:2015-07-16】
如果你遇到添加了 [authorize] ,但是不能自动转到登录页面的情况,那么需要:
app.useopenidconnectauthentication(options => {
options.automaticauthentication = true;
});
具体见:https://github.com/aspnet/security/issues/357#issuecomment-120834369
以上所述就是本文的全部内容了,希望大家能够喜欢。
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论