具有OpenIdAuthentication的ASP.NET:如果未授权，则重定向到url [英] ASP.NET with OpenIdAuthentication: redirect to url if not authorized

问题描述

我正在尝试编写使用混合身份验证方案的ASP.NET应用程序. 用户可以将其用户名和密码哈希存储在UserStore中，也可以通过Azure Active Directory进行身份验证.

I am attempting to write an ASP.NET application that uses a hybrid authentication scheme. A user can either have his username and password hash stored in the UserStore, or he can authenticate via Azure Active Directory.

我已经创建了如图所示的登录表单.它具有标准的UserName和Password输入，还具有通过Active Directory登录"按钮.

I have created the login form pictured. It has the standard UserName and Password inputs, but also has a "Login via Active Directory" button.

这很好.

现在解决该问题:应用程序的主页具有[Authorize]属性.

Now for the problem: The application's home page has the [Authorize] attribute.

public class DefaultController : Controller
{
    [Authorize]
    public ViewResult Index()
    { 
    // Implementation
    }
}

如果用户未登录，我希望它重定向到页面Account/Login，允许用户选择身份验证方法.

If the user is not logged in, I want it to redirect to the page Account/Login, allowing the user to choose the authentication method.

一旦我将IAppBuilder.UseOpenIdConnectAuthentication添加到管道设置中，它就不再重定向到该页面.而是直接转到"Microsoft登录"页面.

Once I added IAppBuilder.UseOpenIdConnectAuthentication to the pipeline setup, it no longer redirects to that page. Instead, it goes straight to the Microsoft Login page.

我如何配置它以使OpenID身份验证成为系统的一部分，但允许我指定当用户未经身份验证时如何执行重定向?

How do I configure it so that OpenID authentication is part of the system, but allow me to specify how to perform redirections when the user is not authenticated?

这是我建立管道的代码:

Here's the code where I set up the pipeline:

appBuilder.SetDefaultSignInAsAuthticationType(CookieAuthenticationDefaults.AuthenticationType_;
var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
     AuthenticationType = DefaultAuthenticationType.ApplicationCookie,
     LoginPath = new Microsoft.Owin.PathString("/Account/Login"),
     Provider = new Security.CookieAuthenticationProvider()
};
appBuilder.UseCookieAuthentication(cookieAuthenticationOptions);
// Now the OpenId authentication
var notificationHandlers = new OpenIdConnectAuthenticationNotificationHandlers 
{
   AuthorizationCodeReceived = async(context) => {
       var jwtSecurityToken = context.JwtSecurityToken;
       // I've written a static method to convert the claims
       // to a user
       var user = await GetOrCreateUser(context.OwinContext, jwtSecurityToken.Claims);
       var signInManager = context.OwinContext.Get<SignInManager>();
       await signInManager.SignInAsync(user, true, false);
   }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

当您单击"Active Directory登录"时，它将发布到"Account/SignInWithOpenId"

When you click "Active Directory Signin", it posts to "Account/SignInWithOpenId"

public ActionResult SignInWithOpenId()
{
    // Send an OpenID Connect sign-in request.
    if (!Request.IsAuthenticated)
    {
        var authenticationProperties = new AuthenticationProperties
        {
            RedirectUri = "/"
        };
        HttpContext.GetOwinContext().Authentication.Challenge
        (
            authenticationProperties,
            OpenIdConnectAuthenticationDefaults.AuthenticationType
        );
        return new EmptyResult();
    }
    else
    {
        return RedirectToAction("Index", "Default");
    }
}

推荐答案

对IAppBuilder.UseOpenIdConnectAuthentication(...)的调用将Owin中间件组件放入管道中.当ASP.NET MVC返回401(未经授权)的HttpResponse时，Owin中间件组件将检测到该错误并将其更改为Http重定向(代码302)，并且重定向路径将指向Open Id提供程序.

The call to IAppBuilder.UseOpenIdConnectAuthentication(...) puts an Owin middleware component in the pipeline. When ASP.NET MVC returns an HttpResponse of 401 (Unauthorized), the Owin Middleware component detects this and changes it to an Http Redirect (code 302), and the redirection path is to the Open Id provider.

但是有一种解决方法:在中间件组件执行重定向之前，它会调用回调RedirectToIdentityProvider.从这里，您可以覆盖此重定向.

But there's a way to get around this: before the middleware component performs the redirect, it invokes the callback RedirectToIdentityProvider. From here, you can override this redirection.

这是我的代码，它将覆盖重定向，除非它来自请求路径Account/SignInWithOpenId.

Here is my code that overrides the redirection unless it is from the request path Account/SignInWithOpenId.

var notificationHandlers = new OpenIdConnectAuthenticationNotifications
{
    AuthorizationCodeReceived = async(context) => {
       // Sign in the user here
    },
    RedirectToIdentityProvider = (context) => {
        if(context.OwinContext.Request.Path.Value != "/Account/SignInWithOpenId")
        {
             context.OwinContext.Response.Redirect("/Account/Login");
             context.HandleResponse();
        }
        return Task.FromResult(0);
    }
}
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
     ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
     Authority = "https://login.microsoftonline.com/xxxxx.onmicrosoft.com",
     PostLogoutRedirectUri = "https://localhost:52538/Account/Login",
     Notifications = notifcationHandlers
}
appBuilder.UseOpenIdConnectAuthentication(openIdOptions);

这篇关于具有OpenIdAuthentication的ASP.NET:如果未授权，则重定向到url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！