如何从ASP.Net OpenID Connect OWIN组件设置声明? [英] How to set Claims from ASP.Net OpenID Connect OWIN components?

问题描述

我在使用新的ASP.Net OpenID Connect框架时遇到疑问，同时在身份验证管道中添加新的Claims，如下面的代码所示.我不确定幕后到底发生了多少魔术".我认为我的大部分问题集中在对OWIN身份验证中间件(而不是OpenID Connect)了解不多.

I have questions upon using the new ASP.Net OpenID Connect framework while adding new Claims during the authentication pipeline as shown in the code below. I'm not sure just how much 'magic' is happening behind the scenes. I think most of my questions center around not knowing much about OWIN authentication middleware as opposed to OpenID Connect.

Q1.我应该从OwinContext.Authentication.User手动设置HttpContext.Current.User和Thread.CurrentPrincipal吗?

Q1. Should I be manually setting HttpContext.Current.User and Thread.CurrentPrincipal from OwinContext.Authentication.User?

Q2.我希望能够像以前使用System.IdentityModel.Claims.Claim一样将对象类型添加到声明中.新的System.Security.Claims.Claim类仅接受字符串值吗?

Q2. I want the ability to add object types to claims like I used to with System.IdentityModel.Claims.Claim. The new System.Security.Claims.Claim class only accepts string values?

Q3.我是否需要在System.Security.Claims.CurrentPrincipal中的ClaimsPrincipal中使用新的SessionSecurityToken包装器将其序列化为cookie-我正在使用app.UseCookieAuthentication(new CookieAuthenticationOptions());，但是现在确定在维护我在SecurityTokenValidated事件?

Q3. Do I need to use the new SessionSecurityToken wrapper for my ClaimsPrincipal in System.Security.Claims.CurrentPrincipal for serializing into a cookie - I am using app.UseCookieAuthentication(new CookieAuthenticationOptions()); but now sure what that does exactly in terms of maintaining any additional claims I added during SecurityTokenValidated event?

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    SecurityTokenValidated = (context) =>
                    {
                        // retriever caller data from the incoming principal
                        var UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
                        var db = new SOSBIADPEntities();

                        var user = db.DomainUser.FirstOrDefault(b => (b.EntityName == UPN));

                        if (user == null)
                        {
                            // the caller was not a registered user - throw to block the authentication flow
                            throw new SecurityTokenValidationException();
                        }

                        var applicationUserIdentity = new ClaimsIdentity();
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Name, UPN, ""));
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Sid, user.ID.ToString(CultureInfo.InvariantCulture)));


                        var applications =
                            db.ApplicationUser
                            .Where(x => x.ApplicationChild != null && x.DomainUser.ID == user.ID)
                            .Select(x => x.ApplicationChild).OrderBy(x => x.SortOrder);

                        applications.ForEach(x =>
                            applicationUserIdentity.AddClaim(new Claim(ClaimTypes.System, x.ID.ToString(CultureInfo.InvariantCulture))));

                        context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);

                        var hasOutlook = context.OwinContext.Authentication.User.HasClaim(ClaimTypes.System, "1");

                        hasOutlook = hasOutlook;

                        HttpContext.Current.User = context.OwinContext.Authentication.User;
                        Thread.CurrentPrincipal = context.OwinContext.Authentication.User;

                        var usr = HttpContext.Current.User;

                        var c =  System.Security.Claims.ClaimsPrincipal.Current.Claims.Count();


                        return Task.FromResult(0);
                    },
                }
            }
        );
    }

推荐答案

是否存在添加新ClaimsIdentity的特定原因?

Is there a specific reason for which you are adding a new ClaimsIdentity?

要做的最简单的方法是，通过ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;检索通过验证传入令牌而生成的ClaimsIdentity，只需对其添加声明即可.其余的中间件将负责将其与其他所有内容一起在会话cookie中进行序列化，并将结果放置在当前的ClaimsPrincipal中，以及您尝试手动执行的所有其他操作.
HTH
V.

The simplest way of doing what you are aiming at is to retrieve the ClaimsIdentity that was generated by validating the incoming token, via ClaimsIdentity claimsId = context.AuthenticationTicket.Identity; once you have it, just add claims to it. The rest of the middleware will take care of serializing it in the session cookie along with everything else, place the result in the current ClaimsPrincipal, and all those other things you appear to be trying to do manually.
HTH
V.

这篇关于如何从ASP.Net OpenID Connect OWIN组件设置声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！