针对Azure AD的WebForms身份验证 [英] WebForms authentication against Azure AD
问题描述
我有一个WebForms站点,该站点已在内部服务器上运行,并根据我们的内部Active Directory对用户进行身份验证.由于我们正在实施一些新功能,因此需要将该网站移至外部服务器,然后更改身份验证,以便针对我们的Office 365帐户对用户进行身份验证.为此,我有:
I have a WebForms site that has been running on an internal server and authenticating users against our internal Active Directory. Due to some new features that we are implementing, this site needs to be moved to an external server and then authentication changed so that it authenticates users against our Office 365 accounts. To this end I have:
- 创建一个新的WebForms站点(不使用MVC)
- 在Azure中设置新的应用程序.
-
对Startup.Auth.cs进行了如下修改:
- Created a new WebForms site (not using MVC)
- Set up a new application in Azure.
Modified the Startup.Auth.cs as follows:
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = "MyApplicationGUID", Authority = "https://login.windows.net/MyDomain.com" });
当我转到默认页面并单击登录"时,它将带我到正确的登录"页面,并显示OpenID的按钮.如果单击该按钮,我将被带到"Microsoft登录"页面,可以在其中输入我的凭据.但是,到那时,我被重定向回站点的登录页面,该页面仍在询问用户名/密码.
When I go to the default page and click Log On, it takes me to the correct Login page and the button for OpenID is shown. If I click the button, I am taken to the Microsoft Login page where I am able to enter my credentials. However, at that point, I am redirected back to my site's login page where it is still asking for a username/password.
我想做的是设置站点,以便如果未通过用户身份验证,则将他们直接重定向到Microsoft登录页面,并在成功登录后将其重定向回到他们最初请求的页面.失败的话,我会对默认登录页面正常工作感到满意,这样,当我单击OpenID时,就不会重定向回登录页面.
What I would like to have happen is to set the site up so that if a user is not authenticated, they are redirected directly to the Microsoft login page and upon successful login are redirected back to the page they requested originally. Failing this, I would be satisfied with getting the default login page working so that when I click OpenID I'm not redirected back to the login page.
这时我没有时间学习MVC并把整个事情都移植了,所以现在这条路是不可行的.
I don't have time to learn MVC at this point and port the whole thing over so going that route is not an option at this time.
我对这一过程的了解不足,所以如果我的问题没有道理或您需要更多信息,请告诉我,我很乐意尝试找到您需要帮助我的地方这个.
I don't know enough about this process, so if my question doesn't make sense or if you need more information, please let me know and I'll be glad to try and find what you need to assist me in this.
推荐答案
也许我遗漏了一些东西,但是我不明白为什么您需要自定义登录页面或外部登录Cookie. OIDC/AAD的典型Startup.Auth看起来像这样:
Maybe I'm missing something, but I don't see why you need the custom login page or the external signin cookie. A typical Startup.Auth for OIDC/AAD looks something like this:
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "AppGUID",
Authority = "https://login.windows.net/MyDomain.com",
// After authentication return user to the page they were trying
// to access before being redirected to the Azure AD signin page.
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = (context) =>
{
string currentUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.Path;
context.ProtocolMessage.RedirectUri = currentUrl;
return Task.FromResult(0);
}
}
});
对于每个单个请求,cookie身份验证都只是为了避免进入AAD.所有真正的工作都在OpenIdConnectAuthentication中进行.
The cookie auth is just to keep from going to AAD for every single request. All the real work happens in the OpenIdConnectAuthentication.
这是WebForms,Azure AD和OpenID Connect的示例:
Here's an example of WebForms, Azure AD, and OpenID Connect:
