支持“两个帐户"实施IProfileService时登录 [英] Support "two account" login when implementing IProfileService
问题描述
我们正在尝试将IdentityServer4集成到我们想要合并两个登录帐户(传统意义上不是2FA)的设施中.用户将被预先登录到固定在建筑物中物理位置的计算机上的Windows服务"帐户.根据 IS4 Windows身份验证.然后,用户可以在Web应用程序表单(例如IS4快速入门登录表单)中使用其个人Active Directory凭据进行登录.这将使我们能够根据用户的身份和位置授予更精细的权限.
We are attempting to integrate IdentityServer4 in facilities where we want to combine two login accounts (not 2FA in the traditional sense). Users would be pre-logged-in to Windows "service" accounts on computers fixed to a physical location in the building. They would be auto-authenticated to IS4 with the service account per IS4 Windows Authentication. Then, users would logon with their personal Active Directory credentials in the web app form (like the IS4 quickstart logon form). This would provide us the ability to grant more granular permissions based on the identity and location of the user.
我们正在尝试实现 IProfileService 来调用需要两个帐户ID的内部API.我们根据GetProfileDataAsync()中的内部API的响应发出的声明应该是两个帐户权限重叠的结果. IsUserActiveAsync()应验证服务帐户和用户帐户均处于活动状态.
We are trying to implement IProfileService to call an internal API that expects both account IDs. The claims we issue from the response of that internal API in GetProfileDataAsync() should be a result of the overlapping permissions of the two accounts. IsUserActiveAsync() should validate that both the service account and the user account are active.
在实现IProfileService的过程中,我们如何获得对两个帐户ID的访问权限?传递给IProfileService方法的类型为ClaimsPrincipal的子参数似乎仅支持一个帐户.现成的IS4是否支持这种类型的环境,还是需要一些自定义?
How can we gain access to both account IDs from within our implementation of IProfileService? The sub-parameter of type ClaimsPrincipal passed to the IProfileService methods seems to only support a single account. Is this type of environment supported by IS4 out-of-the-box, or would this require some customization?
推荐答案
我们找到的解决方案是修改登录流程,以立即执行透明的Windows身份验证,然后再进行用户名/密码身份验证.在用户名/密码身份验证期间,我们在自定义声明中缓存了Windows身份验证的用户名,以便可以在IProfileService中的Principal中访问服务帐户和用户帐户.
The solution we landed on was modifying the login flow to perform a transparent Windows authentication immediately followed by a username/password authentication. We cached the username for the Windows authentication in a custom claim during the username/password authentication so that both the service account and the user account would be accessible in the Principal in IProfileService.
这篇关于支持“两个帐户"实施IProfileService时登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
