将dotnet core 2 web-api中的Azure-AD与本地用户数据库结合起来 [英] Combine Azure-AD with local user database in dotnet core 2 web-api
问题描述
我正在创建一个.net-core2 Web-api,允许来自Azure-AD的用户使用它.该API是多租户的,因此来自多个Azure-AD的用户应该能够进行授权.
I am creating a .net-core2 web-api, which allows users from an Azure-AD to consume it. The API is multi-tenant, so users from multiple Azure-AD's should be able to authorize.
但是,也可以为没有公司Azure-AD帐户的用户创建一个帐户.这些用户存储在数据库中(本地用户).
However, it is also possible to create an account for users who do not have a corporate Azure-AD account. These users are stored in a database (local users).
因为它是一个Web-api,所以我实现了一个自定义令牌提供程序,以便本地用户可以获取令牌来使用受保护的Web-api.
Because it is a web-api, I implemented a custom token provider, so that the local users can get a token to consume the protected web-api.
但是,我无法将两个单独的承载者"身份验证添加到Web-api:
However, I cannot add two separate 'Bearer' authentications to the web-api:
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options))
.AddJwtBearer(options => new JwtBearerOptions {
TokenValidationParameters = tokenValidationParameters
});
这会引发错误:
System.InvalidOperationException:方案已经存在:Bearer
System.InvalidOperationException: Scheme already exists: Bearer
我完全了解.但是如何并行实现两种身份验证机制?
Which I totally understand. But how I can implement both authentication mechanisms in parallel?
推荐答案
您必须指定其他标识符.两者目前都在使用承载者"标识符.
You have to specify a different identifier. Both are using the "Bearer" identifier at the moment.
例如,您可以通过以下方式为JWT Bearer指定不同的名称:
For example, you can specify a different one for JWT Bearer by:
.AddJwtBearer("CustomJwt", options => { });
这解决了标识符冲突的问题,但是为了同时支持两种身份验证方案,您将需要进行其他修改.
This solves the issue with the identifier clash, but in order to support two authentication schemes in parallel, you will need to do additional modifications.
David Fowler提出了2.0中的一种方法: https://github.com/aspnet/Security/issues/1469
One way in 2.0 is something suggested by David Fowler: https://github.com/aspnet/Security/issues/1469
app.UseAuthentication();
app.Use(async (context, next) =>
{
// Write some code that determines the scheme based on the incoming request
var scheme = GetSchemeForRequest(context);
var result = await context.AuthenticateAsync(scheme);
if (result.Succeeded)
{
context.User = result.Principal;
}
await next();
});
如果您在点击中间件时上下文中没有用户,则可以使用所有Bearer(Azure AD)方案.
In your case you could all the Bearer (Azure AD) scheme if there is no user on the context when you hit the middleware.
在ASP.NET Core 2.1中,我们将获得虚拟身份验证方案",该方案以更一流的方式允许这种情况:
In ASP.NET Core 2.1 we will get "virtual authentication schemes", which allow this scenario in a more first-class way: https://github.com/aspnet/Security/pull/1550
这篇关于将dotnet core 2 web-api中的Azure-AD与本地用户数据库结合起来的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!