在 Asp.Net Core Web 应用程序中使用 EasyAuth 对 Azure 应用服务上的 AAD 进行身份验证时,无法填充 ClaimsPrincipal [英] Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app
问题描述
我们有一个基于 Asp.Net 核心的网络应用程序.它不包含任何配置在其中的身份验证中间件.
We have a web app built on Asp.Net core. It doesn't contain any authentication middleware configured in it.
我们托管在 Azure 应用服务上,并使用身份验证/授权选项 (EasyAuth) 对 Azure AD 进行身份验证.
We are hosting on Azure App Service and using the Authentication/Authorization option (EasyAuth) to authenticate against Azure AD.
身份验证运行良好 - 我们插入了必要的标头,我们可以在/.auth/me 中看到经过身份验证的身份.但是 HttpContext.User 属性没有被填充.
The authentication works well - we get the requisite headers inserted and we can see the authenticated identity at /.auth/me. But the HttpContext.User property doesn't get populated.
这是 Asp.Net 核心的兼容性问题吗?还是我做错了什么?
Is this a compatibility issue for Asp.Net core? Or am I doing something wrong?
推荐答案
是的,这是一个兼容性问题.遗憾的是,ASP.NET Core 不支持将身份信息从 IIS 模块(如 Easy Auth)传输到应用程序代码.这意味着 HttpContext.User 和类似的代码将无法像在常规 ASP.NET 中那样工作.
Yes, this is a compatibility issue. ASP.NET Core does not support flowing identity info from an IIS module (like Easy Auth) to the app code, unfortunately. This means HttpContext.User and similar code won't work like it does with regular ASP.NET.
目前的解决方法是从您的服务器代码调用您的网络应用程序的/.auth/me 端点以获取用户声明.然后,您可以使用 x-ms-client-principal-id 请求标头值作为缓存键来适当缓存此数据./.auth/me 调用需要以与对您的网络应用程序的调用需要进行身份验证(身份验证 cookie 或请求标头令牌)相同的方式进行正确身份验证.
The workaround for now is to invoke your web app's /.auth/me endpoint from your server code to get the user claims. You can then cache this data as appropriate using the x-ms-client-principal-id request header value as the cache key. The /.auth/me call will need to be properly authenticated in the same way that calls to your web app need to be authenticated (auth cookie or request header token).
这篇关于在 Asp.Net Core Web 应用程序中使用 EasyAuth 对 Azure 应用服务上的 AAD 进行身份验证时,无法填充 ClaimsPrincipal的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
