我一直在使用我从样本创建的库,允许我使用Azure Active Directory验证.NET核心Web应用程序,并利用各种OpenIdConnectOptions事件(例如OnTokenValidated)向主体添加某些声明以及添加该数据到类似身份的数据库,以便API可以根据其令牌对调用者进行基于策略的确定.
但我宁愿使用Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet包而不是我的自定义变体,我只是不确定如何进入并访问OpenIdConnectOptions上的事件.
我不知道它是不是可以做的事情,或者我只是没有足够的依赖注入处理来弄清楚如何做到这一点.
或者我应该考虑在流程的不同部分添加索赔等?
public static AuthenticationBuilder AddAzureAD(
this AuthenticationBuilder builder,
string scheme,
string openIdConnectScheme,
string cookieScheme,
string displayName,
Action<AzureADOptions> configureOptions) {
AddAdditionalMvcApplicationParts(builder.Services);
builder.AddPolicyScheme(scheme, displayName, o => {
o.ForwardDefault = cookieScheme;
o.ForwardChallenge = openIdConnectScheme;
});
builder.Services.Configure(
TryAddOpenIDCookieSchemeMappings(scheme, openIdConnectScheme, cookieScheme));
builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>, AzureADOptionsConfiguration>();
// They put in their custom OpenIdConnect configuration, but I can't see how to get at the events.
builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>, OpenIdConnectOptionsConfiguration>();
builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CookieOptionsConfiguration>();
builder.Services.Configure(scheme, configureOptions);
builder.AddOpenIdConnect(openIdConnectScheme, null, o => { });
builder.AddCookie(cookieScheme, null, o => { });
return builder;
}
最佳答案 我在这里可能会迟到一点,但我遇到了同样的问题,发现AzureAD身份验证中间件的记录很少.在这里添加解决方案,为其他人在同一个问题上挣扎.
正如您在问题的代码片段底部所看到的,AzureAD提供程序实际上依赖于OpenIdConnect和Cookie auth提供程序,并且本身不实现任何身份验证逻辑.
为此,添加了两个额外的身份验证方案,分别使用定义为AzureADDefaults.OpenIdScheme和AzureADDefaults.CookieScheme的名称.
(虽然使用AddAzureAD时也可以自定义名称(此Microsoft.AspNetCore.Authentication.AuthenticationBuilder构建器,字符串方案,字符串openIdConnectScheme,字符串cookieScheme,字符串displayName,操作< Microsoft.AspNetCore.Authentication.AzureAD.UI.AzureADOptions> configureOptions )超载).
反过来,它允许使用上面的方案名称配置有效的OpenIdConnectOptions和CookieAuthenticationOptions,包括访问OpenIdConnectEvents.
看到这个完整的例子:
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options => Configuration.Bind("AzureAd", options));
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = async ctxt =>
{
// Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State
// that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize
// parameters sent to the identity provider.
await Task.Yield();
},
OnMessageReceived = async ctxt =>
{
// Invoked when a protocol message is first received.
await Task.Yield();
},
OnTicketReceived = async ctxt =>
{
// Invoked after the remote ticket has been received.
// Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in.
// This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured
// with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into
// roles, to be persisted in the cookie.
if (ctxt.Principal.Identity is ClaimsIdentity identity)
{
ctxt.Principal.FindAll(x => x.Type == "groups")
.ToList()
.ForEach(identity.RemoveClaim);
}
await Task.Yield();
},
};
});
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.Events = new CookieAuthenticationEvents
{
// ...
};
});
