在Asp.Net Core Web应用程序中使用EasyAuth对Azure App Service上的AAD进行身份验证时，无法填充ClaimsPrincipal [英] Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app

问题描述

我们有一个基于Asp.Net核心的Web应用程序.它不包含任何配置的身份验证中间件.

We have a web app built on Asp.Net core. It doesn't contain any authentication middleware configured in it.

我们托管在Azure App Service上，并使用身份验证/授权"选项(EasyAuth)对Azure AD进行身份验证.

We are hosting on Azure App Service and using the Authentication/Authorization option (EasyAuth) to authenticate against Azure AD.

身份验证效果很好-我们插入了必要的标头，然后可以在/.auth/me上看到已身份验证的身份.但是，不会填充HttpContext.User属性.

The authentication works well - we get the requisite headers inserted and we can see the authenticated identity at /.auth/me. But the HttpContext.User property doesn't get populated.

这是Asp.Net核心的兼容性问题吗?还是我做错了什么?

Is this a compatibility issue for Asp.Net core? Or am I doing something wrong?

推荐答案

是的，这是一个兼容性问题.不幸的是，ASP.NET Core不支持将身份信息从IIS模块(例如Easy Auth)流向应用程序代码.这意味着HttpContext.User和类似的代码将无法正常使用常规ASP.NET.

Yes, this is a compatibility issue. ASP.NET Core does not support flowing identity info from an IIS module (like Easy Auth) to the app code, unfortunately. This means HttpContext.User and similar code won't work like it does with regular ASP.NET.

目前的解决方法是从服务器代码中调用Web应用程序的/.auth/me端点以获取用户声明.然后，您可以使用x-ms-client-principal-id请求标头值作为缓存键来适当地缓存此数据. /.auth/me调用将需要以与对您的Web应用程序的调用进行身份验证相同的方式进行正确的身份验证(身份验证cookie或请求标头令牌).

The workaround for now is to invoke your web app's /.auth/me endpoint from your server code to get the user claims. You can then cache this data as appropriate using the x-ms-client-principal-id request header value as the cache key. The /.auth/me call will need to be properly authenticated in the same way that calls to your web app need to be authenticated (auth cookie or request header token).

这篇关于在Asp.Net Core Web应用程序中使用EasyAuth对Azure App Service上的AAD进行身份验证时，无法填充ClaimsPrincipal的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！