同一 MVC 应用程序中的 OpenID 和个人用户帐户
OpenID and Individual User Accounts in same MVC application
我想让 MVC 应用程序支持外部用户的个人用户帐户,并使用员工的 OpenID 端点接受来自 ADFS 的令牌。
我创建了 2 个 mvc 应用程序。一个设置为仅使用 OpenId,它通过将我重定向到本地 ADFS 服务器并设置 cookie 来正常工作,因此我被授权使用装饰有 [Authorize] 属性的控制器。
我在与第一个 mvc 站点相同的服务器上有另一个 mvc 应用程序,它被设置为使用个人用户帐户。我已在 Startup.Auth 中添加代码以将 OpenId Connect 添加到 OWIN 管道。
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
MetadataAddress = metadataAddress,
RedirectUri = redirectUri,
//PostLogoutRedirectUri = postLogoutRedirectUri
});
}
我认为这就是我在第二个应用程序中使用 OpenID 所需的全部内容。
我首先访问第一个 mvc(仅限 OpenId)应用程序并登录。我可以访问该应用程序上的授权控制器操作。
然后我尝试访问第二个应用程序(个人用户帐户和 OpenID)并假设我会被授权。
相反,我在 ADFS 服务器和 mvc 应用程序之间被重定向了几次,直到抛出 "Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. " 错误。
fiddler 跟踪显示:
302 测试应用程序 2
200 台 adfs 服务器
302 测试应用程序 2
302 测试应用程序 2
200 台 adfs 服务器
等等
我能够使用这个 Startup.ConfigureAuth.
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
MetadataAddress = metadataAddress,
RedirectUri = redirectUri,
//PostLogoutRedirectUri = postLogoutRedirectUri
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
}
我想让 MVC 应用程序支持外部用户的个人用户帐户,并使用员工的 OpenID 端点接受来自 ADFS 的令牌。
我创建了 2 个 mvc 应用程序。一个设置为仅使用 OpenId,它通过将我重定向到本地 ADFS 服务器并设置 cookie 来正常工作,因此我被授权使用装饰有 [Authorize] 属性的控制器。
我在与第一个 mvc 站点相同的服务器上有另一个 mvc 应用程序,它被设置为使用个人用户帐户。我已在 Startup.Auth 中添加代码以将 OpenId Connect 添加到 OWIN 管道。
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
// Enables the application to remember the second login verification factor such as phone or email.
// Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
// This is similar to the RememberMe option when you log in.
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
MetadataAddress = metadataAddress,
RedirectUri = redirectUri,
//PostLogoutRedirectUri = postLogoutRedirectUri
});
}
我认为这就是我在第二个应用程序中使用 OpenID 所需的全部内容。 我首先访问第一个 mvc(仅限 OpenId)应用程序并登录。我可以访问该应用程序上的授权控制器操作。 然后我尝试访问第二个应用程序(个人用户帐户和 OpenID)并假设我会被授权。
相反,我在 ADFS 服务器和 mvc 应用程序之间被重定向了几次,直到抛出 "Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. " 错误。
fiddler 跟踪显示:
302 测试应用程序 2
200 台 adfs 服务器
302 测试应用程序 2
302 测试应用程序 2
200 台 adfs 服务器
等等
我能够使用这个 Startup.ConfigureAuth.
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
MetadataAddress = metadataAddress,
RedirectUri = redirectUri,
//PostLogoutRedirectUri = postLogoutRedirectUri
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));
app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);
}