将dotnet core 2 web-api中的Azure-AD与本地用户数据库结合起来 [英] Combine Azure-AD with local user database in dotnet core 2 web-api

问题描述

我正在创建一个.net-core2 Web-api，允许来自Azure-AD的用户使用它.该API是多租户的，因此来自多个Azure-AD的用户应该能够进行授权.

I am creating a .net-core2 web-api, which allows users from an Azure-AD to consume it. The API is multi-tenant, so users from multiple Azure-AD's should be able to authorize.

但是，也可以为没有公司Azure-AD帐户的用户创建一个帐户.这些用户存储在数据库中(本地用户).

However, it is also possible to create an account for users who do not have a corporate Azure-AD account. These users are stored in a database (local users).

因为它是一个Web-api，所以我实现了一个自定义令牌提供程序，以便本地用户可以获取令牌来使用受保护的Web-api.

Because it is a web-api, I implemented a custom token provider, so that the local users can get a token to consume the protected web-api.

但是，我无法将两个单独的承载者"身份验证添加到Web-api:

However, I cannot add two separate 'Bearer' authentications to the web-api:

services.AddAuthentication(options =>
{
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddAzureAdBearer(options => Configuration.Bind("AzureAd", options))
.AddJwtBearer(options => new JwtBearerOptions {
     TokenValidationParameters = tokenValidationParameters  
 });

这会引发错误:

System.InvalidOperationException:方案已经存在:Bearer

System.InvalidOperationException: Scheme already exists: Bearer

我完全了解.但是如何并行实现两种身份验证机制?

Which I totally understand. But how I can implement both authentication mechanisms in parallel?

推荐答案

您必须指定其他标识符.两者目前都在使用承载者"标识符.

You have to specify a different identifier. Both are using the "Bearer" identifier at the moment.

例如，您可以通过以下方式为JWT Bearer指定不同的名称:

For example, you can specify a different one for JWT Bearer by:

.AddJwtBearer("CustomJwt", options => { });

这解决了标识符冲突的问题，但是为了同时支持两种身份验证方案，您将需要进行其他修改.

This solves the issue with the identifier clash, but in order to support two authentication schemes in parallel, you will need to do additional modifications.

David Fowler提出了2.0中的一种方法: https://github.com/aspnet/Security/issues/1469

One way in 2.0 is something suggested by David Fowler: https://github.com/aspnet/Security/issues/1469

app.UseAuthentication();

app.Use(async (context, next) =>
{
    // Write some code that determines the scheme based on the incoming request
    var scheme = GetSchemeForRequest(context);
    var result = await context.AuthenticateAsync(scheme);
    if (result.Succeeded)
    {
        context.User = result.Principal;
    }
    await next();
});

如果您在点击中间件时上下文中没有用户，则可以使用所有Bearer(Azure AD)方案.

In your case you could all the Bearer (Azure AD) scheme if there is no user on the context when you hit the middleware.

在ASP.NET Core 2.1中，我们将获得虚拟身份验证方案"，该方案以更一流的方式允许这种情况:

In ASP.NET Core 2.1 we will get "virtual authentication schemes", which allow this scenario in a more first-class way: https://github.com/aspnet/Security/pull/1550

这篇关于将dotnet core 2 web-api中的Azure-AD与本地用户数据库结合起来的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！