如何在IdentityServer4中进行多步登录? [英] How to do multiple-step login in IdentityServer4?

问题描述

我们使用的是IdentityServer3，隐式授予，并且登录由多个屏幕组成.在IdentityServer3中，内置了对这种多步骤登录工作流的支持(例如，接受EULA，两因素登录等)，该功能称为"部分登录"，甚至还有一个示例: https://github.com/IdentityServer/IdentityServer3.Samples/tree /master/source/CustomUserService/CustomUserService

We were using IdentityServer3, implicit grant and the login consists of multiple screen. In IdentityServer3, there's built in support for such multiple step login workflow (for example for accepting EULA, two-factor login, etc.), The feature called "partial login" and there is even an example: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService/CustomUserService

我们最近已升级到AspNetCore和IdentityServer4，并且想知道如何实现相同的目标?也就是说，请在第一步中检查用户名和密码，如果正确，则将其安全存储(例如，存储在加密的cookie中)以用于下一步.

We've recently upgraded to AspNetCore and IdentityServer4 and wondering how suppose to achieve the same? That is, check username and password in the first step, and if correct, store it securely (for example in an encrypted cookie) for the next step(s).

推荐答案

我们的解决方案是复制IdentityServer3的部分登录信息:使用自定义cookie在步骤之间保留数据.

Our solution was to replicate the IdentityServer3's partial login: use a custom cookie to persist data between steps.

首先，我们需要注册我们的自定义cookie身份验证(在Startup.Configure)

First, we need to register our custom cookie authentication (at Startup.Configure)

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "my-partial",
    AutomaticAuthenticate = false,
    AutomaticChallenge = false
});

1. 登录工作流程的第一步/入口点应映射到GET /account/login(从IdentityServer4 1.0.0-rc2开始).

1. The first step/entry point of the login workflow should be mapped to GET /account/login (as of IdentityServer4 1.0.0-rc2).

在第二步中，发送并验证了凭据之后，我们将用户名(以及其他所有数据)保存到cookie中.

In second step, after the credentials are sent and verified, we persist the username (and eventually any other data) into a cookie.

代码:

var claims = new []
{
    new Claim("my-user", username),
    new Claim("some-attribute", someAttribute)
};

await HttpContext.Authentication
    .SignInAsync("my-partial", new ClaimsPrincipal(new ClaimsIdentity(claims)));

重要:避免将POST /account/login用作第二步.因为不管结果如何，IdentityServer的中间件都会将您重定向回授权端点(从RC2开始).只需选择其他路径即可.

Important: avoid using POST /account/login as a second step. Because regardless of your result, IdentityServer's middleware will redirect you back to the authorization endpoint (as of RC2). Just pick any other path.

1. 最后一步，关键部分
   • 我们从cookie中读取了持久数据
   • 删除部分Cookie
   • 登录真实"用户
   • 重定向到returnUrl(这已作为查询参数添加到第一步.请不要忘记随它一起发送)

1. At your last step, key parts
   • we read the persisted data from the cookie
   • remove the partial cookie
   • sign in the "real" user
   • redirect to returnUrl (this was added to the first step as a query parameter. Don't forget to send along it)

在代码中

var partialUser = await HttpContext.Authentication.AuthenticateAsync("my-partial");
var username = partialUser?.Claims.FirstOrDefault(c => c.Type == "dr-user")?.Value;

var claims = new [] { /* Your custom claims */};

await HttpContext.Authentication
    .SignOutAsync("my-partial");

await HttpContext.Authentication
    .SignInAsync(username, username, claims);

return Redirect(returnUrl);

此外，您可能希望验证输入，例如，如果没有部分cookie，则返回第一步，等等.

In addition, you might want to validate inputs, for example return to the first step, if there is no partial cookie, etc.

这篇关于如何在IdentityServer4中进行多步登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！