控制器未加载.AspNetCore.Identity.Application用户cookie [英] Controller not loading .AspNetCore.Identity.Application user cookie

查看:387
本文介绍了控制器未加载.AspNetCore.Identity.Application用户cookie的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个简单的控制器,在用户登录后会被调用。我可以在身份服务器上看到该用户已登录。我还可以看到在浏览器中设置了.AspNetCore.Identity.Application cookie。

I have a simple controller which is called after the user logs in. I can see on my identity server that the user is logged in. I can also see that .AspNetCore.Identity.Application cookie is set in the browser.

登录后,使用以下命令将用户转发到此控制器

After login the user is forwarded to this controller using

RedirectToAction(nameof(Index), "Manage")

问题是控制器似乎没有被认证。我已经尝试过HttpContext.User和其他所有我认为控制器不能读取Cookie的东西

The problem is that the controller doesn't appear to be authenticated. I have tried HttpContext.User and everything else i can think the controller isn't reading the cookie

[Authorize]
[Route("[controller]/[action]")]
public class ManageController : Controller
{

    [HttpGet]
    [AllowAnonymous]
    public async Task<IActionResult> Index(ManageMessageId? message = null)
    {

      //  try to find user here.
    }
}

我发现有一项工作迫使它加载cookie

I have found a work around which forces it to load the cookie

var loadTheStupidCookie = await HttpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
var user = await _userManager.GetUserAsync(loadTheStupidCookie.Principal);

这是可行的,但我认为必须将其加载到控制器的每个方法中,这太过致命了。控制器不能为我加载Cookie吗?

This works but I think its over kill to have to load it in every method in the controller. Shouldn't the controller be able to load the cookie for me?

从startup.cs

From startup.cs

 services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
                .AddCookie(options =>
                {
                    options.LoginPath = new PathString("/Account/Login");
                    options.AccessDeniedPath = new PathString("/Account/Forbidden/");
                })
                .AddGoogle("Google", options =>
                {
                    options.AccessType = "offline";
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                    options.ClientId = "xxxxx.apps.googleusercontent.com";
                    options.ClientSecret = "XXXX";
                });

注意:删除[AllowAnonymous]使其完全无法工作,可能是因为它不能

Note: Removing [AllowAnonymous] causes it to not work at all probably due to the fact that it cant see the authentication.

推荐答案

使用 Authorize 属性时,它会将使用通过 AddAuthentication 配置的默认 AuthenticationScheme 。在您的示例中,看起来像这样:

When you use the Authorize attribute, it will use the default AuthenticationScheme configured using AddAuthentication. In your example, that looks like this:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)

因为这是 CookieAuthenticationDefaults.AuthenticationScheme ( Cookies),授权属性在尝试登录用户时使用该属性。您的解决方法表明,您实际上要使用 IdentityConstants.ApplicationScheme ( Identity.Application)`。

Because this is CookieAuthenticationDefaults.AuthenticationScheme("Cookies"), the Authorize attribute is using that when attempting to sign the user in. Your workaround shows that you actually wanted to use IdentityConstants.ApplicationScheme("Identity.Application")` instead.

Authorize 属性可让您指定 AuthenticationScheme ( s)您要使用 AuthenticationSchemes 属性来使用,该属性如下所示:

The Authorize attribute allows you to specify the AuthenticationScheme(s) you want to use, using the AuthenticationSchemes property, which looks like this:

[Authorize(AuthenticationSchemes = "Identity.Application")]

事实证明您不能直接使用 IdentityConstants.ApplicationScheme ,因为这不是编译时常量。尽管可以显式使用字符串值,但是可以通过设置策略来获得编译时的安全性。请参见 docs 为例,了解如何执行此操作。

It turns out you can't use IdentityConstants.ApplicationScheme directly, as this is not a compile-time constant. Although you could use the string value explicitly, you can get the compile time safety by setting up a policy, for example. See the docs for an example on how to do that.

这篇关于控制器未加载.AspNetCore.Identity.Application用户cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆