题记:在asp.net 5中虽然继续可以沿用asp.net identity来做验证授权,不过也可以很容易集成支持标准协议的第三方服务,比如azure active directory。
其实,在asp.net 5中集成azuread,利用其进行验证和授权,是非常简单的。因为:首先azure active directory提供了oauth2.0、openid connect 1.0、saml和ws-federation 1.2标准协议接口;其次微软在asp.net 5中移植了集成openid connect的owin中间件。所以,只要在asp.net 5项目中引用"microsoft.aspnet.authentication.openidconnect"这个包,并正确配置azuread的连接信息,就可以很容易的进行集成。
大致步骤如下:
1,在config.json文件中添加azuread的配置信息:
"azuread": { "clientid": "[enter the clientid of your application as obtained from portal, e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]", "tenant": "[enter the name of your tenant, e.g. contoso.onmicrosoft.com]", "aadinstance": "https://login.microsoftonline.com/{0}", // this is the public instance of azure ad "postlogoutredirecturi": https://localhost:44322/ }
2,修改project.json,引入openidconnect的中间件:
"microsoft.aspnet.authentication.openidconnect": "1.0.0-*"
3,在startup中的configureservices方法里面添加:
// openid connect authentication requires cookie auth services.configure<externalauthenticationoptions>(options => { options.signinscheme = cookieauthenticationdefaults.authenticationscheme; });
4,在startup中的configure方法里面添加:
// configure the owin pipeline to use cookie authentication app.usecookieauthentication(options => { // by default, all middleware are passive/not automatic. making cookie middleware automatic so that it acts on all the messages. options.automaticauthentication = true; }); // configure the owin pipeline to use openid connect authentication app.useopenidconnectauthentication(options => { options.clientid = configuration.get("azuread:clientid"); options.authority = string.format(configuration.get("azuread:aadinstance"), configuration.get("azuread:tenant")); options.postlogoutredirecturi = configuration.get("azuread:postlogoutredirecturi"); options.notifications = new openidconnectauthenticationnotifications { authenticationfailed = onauthenticationfailed, }; });
5,startup的onauthenticationfailed方法为:
private task onauthenticationfailed(authenticationfailednotification<openidconnectmessage, openidconnectauthenticationoptions> notification) { notification.handleresponse(); notification.response.redirect("/home/error?message=" + notification.exception.message); return task.fromresult(0); }
6,添加一个名为accountcontroller的controller:
public class accountcontroller : controller { // get: /account/login [httpget] public iactionresult login() { if (context.user == null || !context.user.identity.isauthenticated) return new challengeresult(openidconnectauthenticationdefaults.authenticationscheme, new authenticationproperties { redirecturi = "/" }); return redirecttoaction("index", "home"); } // get: /account/logoff [httpget] public iactionresult logoff() { if (context.user.identity.isauthenticated) { context.authentication.signout(cookieauthenticationdefaults.authenticationscheme); context.authentication.signout(openidconnectauthenticationdefaults.authenticationscheme); } return redirecttoaction("index", "home"); } }
以上代码也可以到我fork的完整示例项目中找到:https://github.com/heavenwing/webapp-openidconnect-aspnet5
【更新:2015-07-16】
如果你遇到添加了 [authorize] ,但是不能自动转到登录页面的情况,那么需要:
app.useopenidconnectauthentication(options => { options.automaticauthentication = true; });
具体见:https://github.com/aspnet/security/issues/357#issuecomment-120834369
以上所述就是本文的全部内容了,希望大家能够喜欢。
您可能感兴趣的文章:
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论