如何在具有多个授权方案的ASP.NET中发布相应的Bearer和Cookie身份? [英] How do I issue the corresponding Bearer and Cookie identity in ASP.NET with multiple Authorization schemes?

问题描述

此文档描述部分如何使用一种以上的身份验证方案:

This documentation describes in part how to use more than one authentication scheme:

在某些情况下，例如单页应用程序，可能会使用多种身份验证方法.例如，您的应用程序可能使用基于cookie的身份验证来登录，并针对JavaScript请求使用承载身份验证.在某些情况下，您可能具有身份验证中间件的多个实例.例如，有两种Cookie中间件，其中一种包含基本身份，一种是在多因素身份验证触发后创建的，因为用户要求进行一项需要额外安全性的操作.

In some scenarios, such as Single Page Applications it is possible to end up with multiple authentication methods. For example, your application may use cookie-based authentication to log in and bearer authentication for JavaScript requests. In some cases you may have multiple instances of an authentication middleware. For example, two cookie middlewares where one contains a basic identity and one is created when a multi-factor authentication has triggered because the user requested an operation that requires extra security.

示例:

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "Cookie",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = false
});

app.UseBearerAuthentication(options =>
{
    options.AuthenticationScheme = "Bearer";
    options.AutomaticAuthenticate = false;
});

但是，它仅描述了如何使用Bearer或Cookie身份验证.还不清楚其他什么组合是有效的，或者如何正确地将承载或cookie发行给客户端.

However it only describes how to use Bearer or Cookie auth. What isn't clear is what other combinations are valid, or how to properly issue bearer or cookies to the client.

那怎么实现?

推荐答案

为此，大型网站(如Facebook，Google等)使用的一个常见用例是使用多个Cookie身份验证中间件，并将其中一个设置为默认使用AutomaticAuthenticate

One common use case for this which large sites like Facebook, Google etc. use is to use multiple cookie authentication middleware's and set one of them to be the default using AutomaticAuthenticate

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "InsecureLongLived",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = true
});
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "SecureAndShortLived",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = false
});

• 默认密码的有效期很长，可用于非关键身份验证场景，例如在Facebook上，这可能是查看您的个人资料页面.
• 更安全，更短命的用于安全性至关重要的用户操作，例如更改密码或个人资料信息.

这为您提供了不必一直使用长寿命Cookie进行登录的便利，但是一旦您需要做一些潜在危险的操作，便转而使用寿命更短，因此更安全的Cookie进行身份验证，这需要用户再次登录.

This gives you the convenience of not having to login all the time with a long lived cookie but as soon as you need to do something potentially dangerous, you switch to doing auth with a much shorter lived and thus more secure cookie which requires the user to login again.

这篇关于如何在具有多个授权方案的ASP.NET中发布相应的Bearer和Cookie身份?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！