Blazor-将ADFS与本地数据库存储库一起使用可确保安全:如何/何时挂接到SQL [英] Blazor - Securing using ADFS with local DB repository: how/when to hook into SQL

问题描述

我有一个Blazer Server应用程序，该应用程序现在使用来自本地ADFS服务器的身份验证.确定了用户之后，我现在需要加载他们的权限.我们认为无法通过ADFS服务器的 声明提供此信息，因此想在数据库中进行配置，但需要了解如何/何时获得此信息.

关于进入ADFS的问题，我的代码如下(最欢迎提出任何改进建议)

App.razor

 < CascadingAuthenticationState><路由器AppAssembly ="@ typeof(Program).Assembly">< Found Context ="routeData">< AuthorizeRouteView RouteData ="@ routeData" DefaultLayout ="@ typeof(MainLayout)">< NotAuthorized>< h1>对不起</h1>< p>您无权访问此页面.< p>您可能需要以其他用户身份登录.</NotAuthorized></AuthorizeRouteView></找到>< NotFound>< LayoutView Layout ="@ typeof(MainLayout)">< h1>对不起</h1>< p>很抱歉，这个地址没有任何东西.</LayoutView></NotFound></路由器></CascadingAuthenticationState> 

appsettings.Development.json

  {"DetailedErrors":"true"，"ConnectionStrings":{"MyDB":数据源= x.x.x.x；初始目录= xxxxx；用户ID =我；密码= sshhh；持久安全信息= False；"}，"Ida":{"ADFSMetadata":"https://adfs.ourServer.com/FederationMetadata/2007-06/FederationMetadata.xml"，"Wtrealm":"https://localhost:44323/"}} 

Startup.cs(仅显示与安全相关的代码)

 使用Microsoft.AspNetCore.Authentication；使用Microsoft.AspNetCore.Authentication.Cookies;使用Microsoft.AspNetCore.Authentication.WsFederation;公共类创业{公共静态无效的Configure(IApplicationBuilder应用程序，IWebHostEnvironment env){.....app.UseAuthentication();app.Use(async(context，next)=>{context.Response.Headers.Add("X-Frame-Options"，"DENY");var user = context.User;if(user?.Identities.HasNoItems(identity => identity.IsAuthenticated)?true){await context.ChallengeAsync(WsFederationDefaults.AuthenticationScheme).ConfigureAwait(false);}如果(下一个！= null){等待next().ConfigureAwait(false);}});....} 

...

  public void ConfigureServices(IServiceCollection服务){var wtrealm = this.Configuration.GetSection("Ida:Wtrealm").Value;var metadataAddress = this.Configuration.GetSection("Ida:ADFSMetadata").Value;服务.AddAuthentication(sharedOptions =>{sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;}).AddWsFederation(options =>{options.Wtrealm = wtrealm;options.MetadataAddress =元数据地址;options.UseTokenLifetime = false;}).AddCookie();....}} 

关于上述代码有什么建议吗?当用户进入我们的网站(任何页面)时，他们会自动被推送到ADFS服务器进行身份验证.似乎还可以，但是阻止用户注销....

因此，从ADFS中，我们获得了一些标识用户的声明，例如他们的UPN名称.我的想法是转到数据库并加载该用户具有的所有角色/权限/权限.

• 我应该在代码中的什么地方放置
• 该数据库当前由使用较旧成员资格"表的另一个应用程序使用.我想使用最新的身份模型吗?我不能冒险破坏其他应用程序的安全性.我应该在新的数据库中存储安全性吗?

任何指针都将是最受欢迎的...假设我是新手.

解决方案

通常的方法是编写

appsettings.Development.json

{
  "DetailedErrors": "true",
  "ConnectionStrings": {
    "MyDB": "Data Source=x.x.x.x;Initial Catalog=xxxxx;user id=me;password=sshhh;Persist Security Info=False;"
  },
  "Ida": {
    "ADFSMetadata": "https://adfs.ourServer.com/FederationMetadata/2007-06/FederationMetadata.xml",
    "Wtrealm": "https://localhost:44323/"
  } 
}

Startup.cs (only showing security related code)

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.WsFederation;
public class Startup
{
    public static void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        .....
        app.UseAuthentication();
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Frame-Options", "DENY");
            var user = context.User;
            if (user?.Identities.HasNoItems(identity => identity.IsAuthenticated) ?? true)
            {
                await context.ChallengeAsync(WsFederationDefaults.AuthenticationScheme).ConfigureAwait(false);
            }

            if (next != null)
            {
                await next().ConfigureAwait(false);
            }
        });

        ....
    }

...

    public void ConfigureServices(IServiceCollection services)
    {
        var wtrealm = this.Configuration.GetSection("Ida:Wtrealm").Value;
        var metadataAddress = this.Configuration.GetSection("Ida:ADFSMetadata").Value;

        services
            .AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
            })
            .AddWsFederation(options =>
            {
                options.Wtrealm = wtrealm ;
                options.MetadataAddress = metadataAddress;
                options.UseTokenLifetime = false;
            })
            .AddCookie();
        ....
    }
}

Any suggestions regarding the above code? When the user enters our site (any page), they automatically get pushed to the ADFS server to authenticate. Seems okay, but prevents the user from logging out....

So, from ADFS we get several claims that identify the user, e.g. their UPNname. My thought is to go to the DB and load all the roles/permissions/rights that this user has.

• Where in my code should I put such code
• The DB is currently used by another application that uses the older "membership" tables. I want to use something a bit more up-to-date, the identity model? I can't risk breaking security for the other application. Should I store security in a new DB?

Any pointers would be most welcome...assume I'm a novice at this.

解决方案

The usual way to do this is to write a custom attribute provider for ADFS.

Then you can get the roles you want from the DB and they are added to the claims.

这篇关于Blazor-将ADFS与本地数据库存储库一起使用可确保安全:如何/何时挂接到SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！