OpenID Connect身份验证中的ValidateIssuer选项 [英] ValidateIssuer option in OpenID connect authentication
问题描述
我们正在使用OIDC库,目前我们仅允许MSA帐户登录.因此,我们已经配置了参数ValidateIssuer = true和Validissuers = https://login.microsoftonline.com/...但是,我们现在需要将其他AAD租户(例如:abc@dell.com)加入到我们的应用程序中,因此我们决定设置ValidateIssuer = false.
We are using OIDC library and for now we allow only MSA account login. So we have configured parameters ValidateIssuer = true and Validissuers = https://login.microsoftonline.com/.." However, we now need to onboard other AAD tenants (for example : abc@dell.com) to our application so we decided to set ValidateIssuer = false.
由于我的应用程序已通过自定义授权进行备份,因此我发现很难完全理解此标志的用途. 基本上我的问题是在什么情况下不希望将此标志设置为false?如果将其设置为false,可能会遇到什么风险?
Since my application is already backed up by custom authorization, I am finding it difficult to understand the purpose of this flag altogether. Basically my question is under what circumstances one would not like to set this flag to false ? And what risk one might ran into if set to false ?
I looked at AAD docs published here and still not able to find convincing response from the comments over sample code snippet :
// ValidateIssuer set to false to allow work accounts from any organization to sign in to your application
// To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name or Id (example: contoso.onmicrosoft.com)
// To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = false
},
推荐答案
正如已经提到的其他答案一样,如果您离开ValidateIssuer = false,则OIDC中间件将不会尝试验证发行方租户,这实际上意味着您的应用程序对任何在Azure AD中有用户的用户开放.
As the other answer already mentioned, if you leave ValidateIssuer = false, then OIDC middleware will not try to validate the issuer tenant and it would effectively mean that your application is open for anyone with a user in Azure AD.
关于解决多租户案例的一些建议
-
如果您提前知道有效发行者列表,请使用
TokenValidationParameters.ValidIssuers中的发行者列表. 示例:
If you know the list of valid issuers ahead of time, make use of a list of issuers in
TokenValidationParameters.ValidIssuers. Example:
ValidIssuers = new List<string>()
{
"https://sts.windows.net/6d9c0c36-c30e-442b-b60a-ca22d8994d14/",
"https://sts.windows.net/f69b5f46-9a0d-4a5c-9e25-54e42bbbd4c3/",
"https://sts.windows.net/fb674642-8965-493d-beee-2703caa74f9a/"
}
如果应用程序的有效发行者是动态的,或者您想编写一些逻辑来收集该列表,则可以编写具有自定义逻辑的TokenValidationParameters.IssuerValidator的实现.您只需要设置一个将用于验证发行者的委托.
If valid issuers for your application are dynamic or if you want to write some logic to gather that list, you can write an implementation for TokenValidationParameters.IssuerValidator which has your custom logic. You just need to set a delegate that will be used to validate the issuer.
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
// Set this to a delegate and write your own custom implementation there. See code sample URL ahead for more details.
IssuerValidator = AadIssuerValidator.ValidateAadIssuer
};
如果两种情况都没有道理,并且您的验证逻辑与呼叫者所属的租户无关,请将TokenValidationParameters.ValidateIssuer设置为false,但是请确保在最后添加您的自定义逻辑,例如在SecurityTokenValidated中通知.
If neither case makes sense, and your validation logic is unrelated to the tenant to which caller belongs, set TokenValidationParameters.ValidateIssuer to false, but make sure you add your custom logic at the end for example in SecurityTokenValidated notifications.
示例代码
使用Azure AD构建多租户SaaS Web应用程序& OpenID Connect
仔细查看此样本中的这些文件:
Look closely at these files in this sample:
- App_Start/Startup.Auth.cs
- Utils/AadIssuerValidator.cs
这篇关于OpenID Connect身份验证中的ValidateIssuer选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
