根据Active Directory对用户进行身份验证时,存储ASP.NET Core授权声明的最佳实践? [英] Best practice for storing ASP.NET Core Authorization claims when authenticating users against Active Directory?
问题描述
我正在创建企业Intranet ASP.NET Core MVC应用程序.我希望我的用户使用Active Directory进行身份验证,并且希望将用户授权(声明)存储在 ApplicationDbContext 中.
I am creating an enterprise intranet ASP.NET Core MVC application. I want my users to authenticate using Active Directory and I want user authorizations (claims) stored in ApplicationDbContext.
我假设我需要使用 Microsoft.AspNetCore.Identity 和 Microsoft.AspNetCore.Identity.EntityFrameworkCore 来实现我的目标.针对Active Directory进行身份验证时,存储ASP.NET Core授权声明的最佳实践是什么?
I assume that I need to use Microsoft.AspNetCore.Identity and Microsoft.AspNetCore.Identity.EntityFrameworkCore to accomplish my goals. What is the best practice for storing ASP.NET Core Authorization claims when authenticating against Active Directory?
以下代码将使我能够从管道内部访问当前的Windows用户安全上下文(当前已登录的用户).我是否需要以某种方式将具有关联的 Microsoft.AspNetCore.Identity 声明的用户映射?
The following code will give me access to the current windows user security context (current logged in user), from within the pipeline. Somehow I need to map the user with associated Microsoft.AspNetCore.Identity claims?
app.Use(async (context, next) =>
{
var identity = (ClaimsIdentity) context.User.Identity;
await next.Invoke();
});
提前感谢您的帮助!
推荐答案
我认为没有最佳实践,但是您有很多选择.也许您可以详细说明您要实现的目标?这里有一些指针可以帮助您解决其中的一些问题.只是一个问题...您将使用什么身份对幕后的AD进行身份验证?如果您使用 IdentityServer 或类似的方法,那么我建议您选择方法4.
I don't think there is a best practice around this, but you do have many options. Perhaps you could elaborate a little on what you're trying to achieve? Here's a few pointers that may help you sort some of this out. Just a question...what are you using to authenticate against AD under the hood? If you use IdentityServer or something similar then I would recommend leaning towards option 4.
首先,声明只是键值对.这意味着您可以创建一个结构,例如:
First off, claims are simply key-value pairs. This means that you could create a structure such as:
public class UserClaim
{
public string UserName {get; set;}
public string Key {get; set;}
public string Value {get; set;}
}
这将使您可以将声明存储在ApplicationUser类中.
This would allow you to store the claims in your ApplicationUser class.
更好的是,您可以通过将UserManager<ApplicationUser> userManager注入要添加用户声明的类中,从而利用内置的身份组件,然后使用适当的值调用AddClaim().由于Core中具有DI系统,因此您可以在运行时将激活的任何类中自由执行此操作.
Better yet, you could leverage the built in identity components by injecting a UserManager<ApplicationUser> userManager into the class where you wish to add the user claims, and then call AddClaim() with the appropriate values. Because of the DI system in Core, you're free to do this in any class that will be activated by the runtime.
另一种方法是使用UserName属性扩展UserClaim类,然后使用原理的唯一标识符(User.Identity.Name).然后,您可以将其存储在ApplicationDbContext中的DbSet<UserClaim>中,并按用户名获取声明.
An other approach would be to augment the UserClaim class with a UserName property, then use the unique identifier of the principle (User.Identity.Name). Then you could store that in a DbSet<UserClaim> in your ApplicationDbContext and fetch the claims by user name.
如果您只需要访问声明而不存储它们(我不确定您的意图是出于什么目的),那么最好是访问User属性(如果您在控制器中),前提是您使用的认证服务可以正确充实声明.
If you just need to access the claims, and not store them (I'm not sure of your intentions from your question) then you might be best just to access the User property if you're in a controller, provided you're using an authentication service that hydrates the claims correctly.
User装饰着属于已登录您应用程序的用户的声明,并且在每个控制器上都可用.
The User is decorated with the claims that belong to the user that signed in to your app and is available on every controller.
否则,您可以获取ClaimsPrinciple并以这种方式访问用户的声明.在这种情况下(在控制器外部),您要做的是将IHttpContextAccessor accessor添加到类的构造函数中,并导航到HttpContextAccessor.HttpContext.User属性,该属性还是ClaimsPrinciple.
You can otherwise obtain the ClaimsPrinciple and access the claims of the user in that manner. In that case (outside of a controller) what you would do is to add an IHttpContextAccessor accessor to the constructor of your class and navigate to the HttpContextAccessor.HttpContext.User property, which is again a ClaimsPrinciple.
这篇关于根据Active Directory对用户进行身份验证时,存储ASP.NET Core授权声明的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
