Identity Server 4注册后自动登录 [英] Identity Server 4 Auto Login After Registration
问题描述
我希望在注册到MVC应用程序后自动记录用户(现在不需要电子邮件验证),我遵循了此示例的IdSrv3并编辑了一些部分:
I want the user to be auto logged after registration to the MVC app (email verification is not needed now), I have followed this sample for IdSrv3 and edited some parts:
http://benfoster.io/blog/identity-server -post-registration-Sign-in
这是我的设置:
MVC:
public class AuthController : Controller
{
[HttpGet]
[AllowAnonymous]
public async Task LogIn()
{
var properties = new AuthenticationProperties
{
RedirectUri = Url.Action("index", "home", HttpContext.Request.GetUri().Scheme)
};
await HttpContext.Authentication.ChallengeAsync(properties);
}
[HttpGet]
[AllowAnonymous]
public IActionResult Register()
{
var returnUrl = $"http://localhost:5002/auth/login";
return Redirect($"http://localhost:5000/Account/Register?returnUrl={returnUrl}");
}
}
使用ASp.Net Core身份的Identity Server 4
Identity Server 4 using ASp.Net Core Identity
[Authorize]
public class AccountController : Controller
{
//
// GET: /Account/Register
[HttpGet]
[AllowAnonymous]
public IActionResult Register(string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
return View();
}
//
// POST: /Account/Register
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
var result = await _userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
var otac = user.GenerateOTAC(TimeSpan.FromMinutes(1));
await _userManager.UpdateAsync(user);
await _signInManager.SignInAsync(user, isPersistent: false);
_logger.LogInformation(3, "User created a new account with password.");
if (string.IsNullOrEmpty(returnUrl))
{
return RedirectToAction(nameof(HomeController.Index), "Home");
}
else
{
return Redirect(returnUrl);
}
}
AddErrors(result);
}
// If we got this far, something failed, redisplay form
return View(model);
}
}
由于该示例显示IdSrv 4中不再存在用户服务,因此我无法实现OTAC握手.
I could not implement the OTAC handshake as the sample shows becaus there is no User Service any more in IdSrv 4.
该方案的工作原理如下:
The scenario works as follows:
1-用户单击MVC应用程序中的注册",将重定向到IdSrv帐户->注册,并通过MVC身份验证->登录作为返回URI. 2-用户在IdSrv中完成注册后,将执行另一个重定向以返回到MVC身份验证->登录. 3-MVC身份验证->登录创建了一个挑战,由于用户已经在使用cookie的注册过程中登录,因此身份验证cookie被合并(根据IdSrv日志),并且没有登录屏幕出现,现在用户登录并登陆到MVC应用.
1 - User clicks 'Register' in MVC app whish redirects to the IdSrv Account->Register passing the MVC Auth->login as a return URI. 2 - After the user completed the registration in IdSrv another redirect executes to return back to the MVC Auth->Login. 3 - The MVC Auth->Login creates a challenge and since the user is already signed in in the registration process using the cookie, the authentication cookie gets merged (as per the IdSrv log), and there is no login screen appears and now the user is logged in and landed to the MVC app.
此设置是否有安全性缺陷?是否有任何方法可以在IdSrv4中实现OTAC握手?
Does this setup have any secutity flaw?, is there any way I can implement the OTAC handshake in IdSrv4?
谢谢
推荐答案
在您的情况下,这可能可行
In your case maybe this could work
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
ViewData["ReturnUrl"] = returnUrl;
if (ModelState.IsValid)
{
var user = new ApplicationUser { UserName = model.Email, Email = model.Email
var result = await _userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
await _signInManager.SignInAsync(user, isPersistent: false);
return LocalRedirect(returnUrl);
}
AddErrors(result);
}
// If we got this far, something failed, redisplay form
return View(model);
}
这篇关于Identity Server 4注册后自动登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
