在MVC 5中具有ASP.NET Identity的Autofac无法验证OWIN管道中的安全标记 [英] Autofac with ASP.NET Identity in MVC 5 does not validate Security Stamp in OWIN pipeline

问题描述

我将AutoFac设置为可在MVC 5中使用ASP.NET Identity.在表面上一切似乎都可以正常工作，即用户可以创建帐户并登录.但是随后我发现，在使用Security Stamp时用户不会注销.被改变了.要么是由于AspNetUsers表中的暴力破解，要么是用户更改了密码并希望在其他浏览器中注销.

I set up AutoFac to work with ASP.NET Identity in MVC 5. Everything seemed to work fine on surface, i.e. users could create accounts and log in. But then I discovered that the users do not get logged out when Security Stamp is changed. Either by brute force in AspNetUsers table or by users changing password and expecting to be logged out in other browser.

这是我通过遵循这篇非正式文章.

public void Configuration(IAppBuilder app)
{
    var builder = new ContainerBuilder();

    builder.RegisterType<ApplicationDbContext>().AsSelf().InstancePerRequest();
    builder.RegisterType<ApplicationUserStore>().As<IUserStore<ApplicationUser>>().InstancePerRequest();
    builder.RegisterType<ApplicationUserManager>().AsSelf().InstancePerRequest();
    builder.RegisterType<ApplicationSignInManager>().AsSelf().InstancePerRequest();
    builder.Register<IAuthenticationManager>(c => HttpContext.Current.GetOwinContext().Authentication).InstancePerRequest();
    builder.Register<IDataProtectionProvider>(c => app.GetDataProtectionProvider()).InstancePerRequest();

    builder.RegisterControllers(typeof(MvcApplication).Assembly);

    var container = builder.Build();

    DependencyResolver.SetResolver(new AutofacDependencyResolver(container));

    app.UseAutofacMiddleware(container);
    app.UseAutofacMvc();

    ConfigureAuth(app);
}

这是我设置Cookie身份验证中间件的方式.这是默认设置，但验证间隔的时间间隔较短.

This is how I set up the cookie authentication middleware. It's default except for validate interval shorter timespan.

public void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromSeconds(15),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        }
    });            
}

如果我在 GenerateUserIdentityAsync 中设置了断点，则只有在用户首次登录时才会调用该断点.

If I set breakpoint in GenerateUserIdentityAsync then it gets called only when user logs in the first time.

推荐答案

安全标记验证程序需要ApplicationUserManager，它会尝试从OWIN上下文中解析实例(因为它并不知道更好).因此，您仍然需要向OWIN注册ApplicationUsreManager:

Security stamp validator needs ApplicationUserManager and it tries to resolve the instance from OWIN context (because it does not know any better). So you still need to register ApplicationUsreManager with OWIN:

app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());

这篇关于在MVC 5中具有ASP.NET Identity的Autofac无法验证OWIN管道中的安全标记的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！