在 MVC5/ASP.Net Identity 2 中支持个人用户帐户和组织帐户 [英] Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2
问题描述
我创建了一个 ASP.Net MVC5 应用程序,我在其中通过 Google、Facebook 等配置了个人用户帐户(并且工作正常).
I've created an ASP.Net MVC5 application, in which I have configured (and have working fine) Individual User Accounts via Google, Facebook, etc.
我还想做的是支持针对 Azure Active Directory(组织帐户)的身份验证.这将使内部员工能够以管理员身份登录应用程序.
What I'd like to do is also support authentication against Azure Active Directory (Organizational Accounts). This would be for internal staff to be able to logon to the app as administrators.
我发现的所有现有信息/指南/文档通常都涉及使用其中一种.我如何同时启用它们?
All existing information/guides/documentation I've found typically deals with using one or the other. How would I enable them both together?
如果每种类型的用户都需要一个单独的登录表单,那将不是问题.
If there needs to be a separate logon form for each type of user, that would not be an issue.
我正在查看 Azure Active Directory 门户中的应用程序配置,并注意到它们定义了一个OAUTH 2.0 AUTHORIZATION ENDPOINT".可以在 Startup.Auth.cs 中配置 MVC5 以使用它吗?
I was looking at the Application configuration within Azure Active Directory portal, and notice that they define an "OAUTH 2.0 AUTHORIZATION ENDPOINT". Can MVC5 be configured within Startup.Auth.cs to use this?
推荐答案
我设法通过执行以下操作来实现:
I managed to implement this by doing the following:
首先,添加对 Microsoft.Owin.Security.OpenIdConnect Nuget 包的引用.
First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.
第二,在我的Startup.Auth.cs中配置:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "From the Azure Portal (see below)",
Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (ctx) =>
{
if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
{
string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
}
else
{
ctx.State = NotificationResultState.Skipped;
ctx.HandleResponse();
}
return Task.FromResult(0);
}
},
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
Caption = "SomeNameHere"
}
});
第三,我在 Azure 门户(经典)中设置应用程序:
Third, I setup the application in the Azure Portal (classic):
第四,我为管理员用户添加了一个单独的登录页面:
Fourth, I added a separate logon page for admin users:
@using (Html.BeginForm("ExternalLogin", "Home"))
{
@Html.AntiForgeryToken()
<div class="ui basic segment">
<div class="ui list">
<div class="item">
<button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
<i class="windows icon"></i>
<span>My Org Name</span>
</button>
</div>
</div>
</div>
}
第五,ExternalLogin动作不需要改变——我们只是让OWIN中间件将我们重定向到外部登录页面.然后,流程会将用户引导回 ExternalLoginCallback 操作.
Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.
最后,在 ExternalLoginCallback 操作中,我检查传入的声明以确定登录是通过 Azure AD 进行的,而不是调用 ASP.NET Identity,我构建我自己的 ClaimsIdentity,其中包含我的所有(特定于应用程序的)声明信息,我的应用程序将其识别为管理员用户.
Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.
现在,管理员用户导航到 https://example.com/admin,单击登录按钮,重定向到 Azure AD 登录,然后以管理员用户身份返回应用程序.
Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.
这篇关于在 MVC5/ASP.Net Identity 2 中支持个人用户帐户和组织帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
