如何使用IdentityServer4身份验证以静默方式重新登录用户 [英] How to re-login user silently using IdentityServer4 authentication
问题描述
我们有基于第三方ABP框架及其多层体系结构的解决方案:
We have solution based on 3rd party ABP framework and its multi-layer architecture:
我们将Angular用作网络界面,并将IdentityServer4用于用户身份验证.因此,我们正在运行2个主机-HTTP API主机和IdentityServer主机以及Web界面-它以一种标准方式工作:登录框,用户输入凭据-瞧.
We are using Angular as a web face and IdentityServer4 for user authentication. So, we are running 2 hosts - HTTP API host and IdentityServer host and as to web face - it works in a standard way: login box, user enters credentials - voila.
尽管如此,我们有一个自定义设置,允许在不同的租户下使用相同的登录名. 租户列表在UI上显示为下拉列表,我们希望使用选定的租户重新登录用户,而不是当前登录的用户.它看起来像是简单的页面重新加载.问题是我不清楚如何实现此目标.我尝试使用来自应用程序层的以下调用,但不起作用(错误是未为方案'Identity.Application'...注册任何身份验证处理程序",但我不知道如何在应用程序层上设置身份验证配置,以便能够与我们的IdentityServer一起使用)
Though, we have a custom setup allowing the same login name under different tenant. The tenants list is displayed as a dropdown on UI and we would like to re-login a user with the selected tenant instead of the user currently logged in. It needs to look like a simple page reload. The problem is I don't have clear understanding how to implement this. I've tried to use the following call from application layer, but it does not work (error is "No authentication handler is registered for the scheme 'Identity.Application'...", but I don't know how to set up authentication configuration on application layer to be able to work with our IdentityServer):
[HttpGet]
public async Task<TenantDto> SwitchTenantForCurrentUser(Guid? tenantId)
{
var abxUser = await _abxUserRepository.FirstOrDefaultAsync(x => x.Login == CurrentUser.UserName && x.Tenant.AbpId == tenantId);
if (abxUser == null)
return null;
using var _ = _abpCurrentTenant.Change(tenantId);
var currentTenant = await _abxTenantRepository.FirstOrDefaultAsync(x => x.AbpId == _abpCurrentTenant.Id.Value);
var identityUser = await _identityUserRepository.FindByNormalizedUserNameAsync(abxUser.Login.ToUpper());
if (await _signInManager.CanSignInAsync(identityUser))
{
await _signInManager.SignOutAsync();
await _signInManager.SignInAsync(identityUser, true);
}
return ObjectMapper.Map<Tenant, TenantDto>(currentTenant); // Not decided yet what to return, it depends on proper implementation
}
来自Http API主机的有关身份验证的配置部分:
Configuration part from Http API host as to authentication:
private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
{
context.Services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.RequireHttpsMetadata = true;
options.ApiName = "CentralTools";
options.JwtBackChannelHandler = new HttpClientHandler
{
//TODO: use valid certificate in future and change the logic
ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
};
});
context.Services.AddAbpIdentity().AddDefaultTokenProviders();
推荐答案
任务已完成. 步骤:
-
BACK-END:实施&在IdentityServer项目中注册自定义授予类型验证器:
BACK-END: implement & register custom grant type validator in IdentityServer project:
SwitchToTenantGrantValidator:IdentityServer4.Validation.IExtensionGrantValidator
SwitchToTenantGrantValidator : IdentityServer4.Validation.IExtensionGrantValidator
简而言之,ValidateAsync接受经过身份验证的用户的数据(他的访问令牌,租户ID等),并确定是否必须让该用户进入.该方法将目标租户的数据写入上下文结果对象;
In short, ValidateAsync accepts the data of authenticated user (his access token, tenant ID, etc.) and makes the decision if the user has to be let in. The method writes data of target tenant into context result object;
-
FRONT-END:使用给定的自定义授予类型调用IdentityServer,并提供(1)所需的数据.我们使用Angular,所以我不得不扩展 OAuthService 以支持自定义授予类型请求;
FRONT-END: make a call to IdentityServer with the given custom grant type, supplying data required for (1). We used Angular, so I had to extend OAuthService to support custom grant type request;
按顺序排列所有内容(如果(2)成功)以在UI中显示正确的数据:清除旧状态等.
Bring everything in order (if (2) was successful) to display correct data in UI: clean old states, etc.
这篇关于如何使用IdentityServer4身份验证以静默方式重新登录用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
