在ASP.NET Core上配置DefaultScheme和DefaultChallengeScheme有什么意义? [英] What is the point of configuring DefaultScheme and DefaultChallengeScheme on ASP.NET Core?

问题描述

我正在学习安全性如何在ASP.NET Core 2.0和IdentityServer4上工作.我使用IdentityServer，API和ASP.NET Core MVC客户端应用程序设置了项目.

I am learning how security works on ASP.NET Core 2.0 and IdentityServer4. I set up the projects with IdentityServer, API and ASP.NET Core MVC Client App.

ConfigureService方法，如下所示.在这里，我在DefaultScheme和DefaultChallengeScheme上感到困惑.配置这些的重点是什么?如果可能的话，对其进行详细的描述将非常有帮助.

ConfigureService method on Client App as in below. Here I am confusing on DefaultScheme and DefaultChallengeScheme. What is the point of configuring those? A detailed description on how it works would be really helpful if possible.

我已经看到了DefaultSignInScheme而不是DefaultScheme，但是它如何工作?这些有什么区别?

I already seen instead of DefaultScheme, DefaultSignInScheme also works, but how does it work? What is the difference of those?

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        //options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        //options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
    {
        options.SignInScheme = "Cookies";
        options.RequireHttpsMetadata = false;

        options.Authority = "http://localhost:5000/";
        options.ClientId = "mvcclient";
        options.SaveTokens = true;
    });
}

推荐答案

首先请注意，您在那里没有使用ASP.NET Core Identity.身份是在身份验证系统的顶部构建的用户管理堆栈.您似乎正在将OpenID Connect与IdentityServer作为提供程序一起使用，因此您的Web应用程序将仅使用OIDC信息，而不必管理自己的身份(尽管IdentityServer可能使用ASP.NET Core身份).

First of all note that you are not using ASP.NET Core Identity there. Identity is the user management stack that builds on top of the authentication system. You appear to be using OpenID Connect with an IdentityServer as the provider, so your web application will only consume the OIDC information but not have to manage its own identities (it may be possible that the IdentityServer is using ASP.NET Core Identity though).

身份验证堆栈在ASP.NET Core中的工作方式是可以配置一组身份验证方案.这些方案中的某些方案打算结合使用，例如cookie身份验证方案很少单独使用，但也有一些方案可以完全分开使用(例如JWT Bearer身份验证).

The way the authentication stack works in ASP.NET Core is that you can configure a set of authentication schemes. Some of these schemes are meant to be used in combination, for example the cookie authentication scheme is rarely used on its own, but there are also schemes that can be used completely separate (for example JWT Bearer authentication).

在身份验证世界中，您可以执行某些操作:

In the authentication world, there are certain actions that you can perform:

• 身份验证:基本上，身份验证意味着使用给定的信息并尝试使用该信息对用户进行身份验证.因此，这将尝试创建用户身份并将其用于框架.

• Authenticate: To authenticate basically means to use the given information and attempt to authenticate the user with that information. So this will attempt to create a user identity and make it available for the framework.

例如，cookie身份验证方案使用cookie数据来还原用户身份.否则，JWT Bearer身份验证方案将使用请求中作为Authorization标头一部分提供的令牌来创建用户身份.

For example, the cookie authentication scheme uses cookie data to restore the user identity. Or the JWT Bearer authentication scheme will use the token that is provided as part of the Authorization header in the request to create the user identity.

挑战:挑战身份验证方案时，该方案应提示用户进行身份验证.例如，这可能意味着用户将被重定向到登录表单，或者将被重定向到外部身份验证提供程序.

Challenge: When an authentication scheme is challenged, the scheme should prompt the user to authenticate themselves. This could for example mean that the user gets redirected to a login form, or that there will be a redirect to an external authentication provider.

禁止:当禁止身份验证方案时，该方案基本上只是以某种响应来告知用户，他们可能不会做任何尝试做的事情.这通常是 HTTP 403 错误，并且可能是重定向到某些错误页面.

Forbid: When an authentication scheme is forbidden, the scheme basically just responds with something that tells the user that they may not do whatever they attempted to do. This is commonly a HTTP 403 error, and may be a redirect to some error page.

登录:登录身份验证方案时，系统会告知该方案采用现有用户(ClaimsPrincipal)并以某种方式保留该用户.例如，使用Cookie身份验证方案登录用户基本上会创建一个包含该用户身份的Cookie.

Sign-in: When an authentication scheme is being signed in, then the scheme is being told to take an existing user (a ClaimsPrincipal) and to persist that in some way. For example, signing a user in on the cookie authentication scheme will basically create a cookie containing that user’s identity.

退出:这是登录的相反过程，基本上可以告诉认证方案删除该持久性.退出cookie方案将使cookie有效.

Sign-out: This is the inverse of sign-in and will basically tell the authentication scheme to remove that persistance. Signing out on the cookie scheme will effectively expire the cookie.

请注意，并非所有身份验证方案都可以执行所有选项.登录和注销通常是特殊操作. cookie身份验证方案是一个支持登录和注销的示例，但是OIDC方案例如不能做到这一点，而是将依赖于其他方案来登录并保留身份.这就是为什么您通常会同时看到它的cookie方案的原因.

Note that not all authentication schemes can perform all options. Sign-in and sign-out are typically special actions. The cookie authentication scheme is an example that supports signing in and out, but the OIDC scheme for example cannot do that but will rely on a different scheme to sign-in and persist the identity. That’s why you will usually see the cookie scheme with it as well.

典型身份验证流程

可以明确使用身份验证方案.当您使用身份验证之一时HttpContext 上的扩展方法，例如

Typical authentication flow

Authentication schemes can be used explicitly. When you use one of the authentication extension methods on the HttpContext, for example httpContext.AuthenticateAsync(), then you can always explicitly specify what authentication scheme you want to use for this operation.

例如，如果您想使用cookie身份验证方案"Cookie"登录，则可以从代码中像这样简单地调用它:

So if you, for example, want to sign in with the cookie authentication scheme "Cookie", you could simply call it like this from your code:

 var user = new ClaimsPrincipal(…);
 await httpContext.SignInAsync(user, "Cookie");

但是在实践中，最直接的事情就是直接直接地进行身份验证.取而代之的是，您通常将依赖于框架为您执行身份验证.为此，框架需要知道对哪种操作使用哪种身份验证方案.

But in practice, calling the authentication directly and explicitly like that is not the most common thing to do. Instead, you will typically rely on the framework to do authentication for you. And for that, the framework needs to know which authentication scheme to use for what operation.

这就是 AuthenticationOptions 用于.您可以配置这些选项，以便可以显式定义将哪些身份验证方案用作这些身份验证操作的默认身份验证:

That is what the AuthenticationOptions are for. You can configure those options so that you can explicitly define what authentication scheme to use as the default for each of those authentication actions:

• :设置身份验证时使用的默认方案.
• :设置挑战时使用的默认方案.
• :设置禁止访问时使用的默认方案.
• :设置默认的登录方案.
• :设置默认方案以退出.
• :设置默认的后备方案(请参见下文).

• DefaultAuthenticateScheme: Sets the default scheme to use when authenticating.
• DefaultChallengeScheme: Sets the default scheme to use when challenging.
• DefaultForbidScheme: Sets the default scheme to use when access is forbidden.
• DefaultSignInScheme: Sets the default scheme to sign in.
• DefaultSignOutScheme: Sets the default scheme to sign out.
• DefaultScheme: Sets the default fallback scheme (see below).

您通常不会配置 all 所有这些属性.相反，该框架具有一些默认的后备，因此您可以仅配置这些属性的一部分.逻辑是这样的:

You typically don’t configure all those properties. Instead, the framework has some default fallbacks, so you can configure just a subset of those properties. The logic is like this:

• 验证:DefaultAuthenticateScheme或DefaultScheme
• 挑战:DefaultChallengeScheme或DefaultScheme
• 禁止:DefaultForbidScheme，DefaultChallengeScheme或DefaultScheme
• 登录:DefaultSignInScheme或DefaultScheme
• 退出:DefaultSignOutScheme或DefaultScheme

• Authenticate: DefaultAuthenticateScheme, or DefaultScheme
• Challenge: DefaultChallengeScheme, or DefaultScheme
• Forbid: DefaultForbidScheme, or DefaultChallengeScheme, or DefaultScheme
• Sign-in: DefaultSignInScheme, or DefaultScheme
• Sign-out: DefaultSignOutScheme, or DefaultScheme

如您所见，如果未配置特定的默认操作，则每个身份验证操作都将退回到DefaultScheme.因此，通常会看到正在配置DefaultScheme，然后为需要其他方案的用户配置了特定的操作.

As you can see, each of the authentication actions falls back to DefaultScheme if the specific action’s default isn’t configured. So what you will typically see is the DefaultScheme being configured, and then the specific actions are configured for those where a different scheme is required.

您的示例很好地说明了这一点:使用OIDC，您将需要一种登录方案，该方案可以保留外部身份验证提供程序提供的身份.因此，您通常会看到OIDC和Cookie身份验证方案:

Your example shows this pretty well: With OIDC, you will need a sign-in scheme that can persist the identity that is provided by the external authentication provider. So you will usually see the OIDC and cookie authentication schemes:

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
});

对于用户来说，正常的交互是通过cookie身份验证方案进行的:当他们访问Web应用程序时，cookie身份验证方案将尝试使用其cookie对它们进行身份验证.因此，将cookie身份验证方案用作所有操作的默认方案.

For the user, the normal interaction is through the cookie authentication scheme: When they access the web application, the cookie authentication scheme will attempt to authenticate them using their cookie. So using the cookie authentication scheme as the default scheme for all operations.

例外是在挑战身份验证时:在这种情况下，我们希望将用户重定向到OIDC提供程序，以便他们可以在那里登录并以身份返回.因此，我们将默认的挑战方案设置为OIDC方案.

The exception is when challenging the authentication: In that case, we want the user to be redirected to the OIDC provider, so they can log in there and return with an identity. So we set the default challenge scheme to the OIDC scheme.

此外，我们还将OIDC方案与cookie方案链接在一起.当用户受到挑战并使用其外部身份验证提供程序登录时，他们将使用其外部身份发送回Web应用程序.尽管OIDC方案无法持久保留该身份，所以它使用 签名不同的方案-cookie方案，然后它将代表OIDC方案持久化身份.这样，cookie方案将为OIDC身份创建一个cookie，并且在下一个请求时，cookie方案(这是默认方案)将能够使用该cookie再次对用户进行身份验证.

In addition, we also link the OIDC scheme with the cookie scheme. When the user gets challenged and logs in with their external authentication provider, they will get sent back to the web application with their external identity. The OIDC scheme cannot persist that identity though, so it signs in using a different scheme—the cookie scheme—which will then persist the identity on behalf of the OIDC scheme. Soo the cookie scheme will create a cookie for the OIDC identity, and on the next request, the cookie scheme (which is the default scheme) will be able to authenticate the user again using that cookie.

因此，在大多数情况下，只需指定默认方案即可，然后根据您的身份验证设置，可以更改一个或两个显式操作.但是从理论上讲，您可以完全设置一个非常复杂的设置，包括不同的默认值和多种方案:该框架为您提供了很大的灵活性.

So most of the time, you will be fine with just specifying the default scheme and then depending on your authentication setup maybe change one or two explicit actions. But theoretically, you can totally set up a very complex setup of different defaults and multiple schemes: The framework gives you a lot of flexibility here.

这篇关于在ASP.NET Core上配置DefaultScheme和DefaultChallengeScheme有什么意义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！