针对不同声明的多个登录页面 [英] Multiple login pages for different claims

问题描述

这是我的情况.

要对网站上的某些操作进行验证，用户应该经过验证.不同的动作需要不同的主张.例如，要使订单用户仅通过电话号码进行身份验证，查看购买历史记录的用户应通过电话号码和密码进行身份验证，而更改电话号码的用户则应使用两因素身份验证.

To do some actions on the web site user should be authenticated. Different actions require different claims. For example, to make an order user is authenticated by phone number only, to view the purchase history user should be authenticated by phone number and password, and to change the phone number user should be authenticated using two-factor authentication.

我为每种身份验证方法创建一个登录页面，并且在对用户进行身份验证时，我会根据身份验证方法向她提出一组声明.我将 [Authorize(Policy ="CanCreateOrder")] 添加到 CreateOrder 操作方法中.该策略具有逻辑要求什么才能授权用户.如果用户未获得授权，我想将用户重定向到相应的登录页面.

I create a login page for each of the authentication methods and when user is authenticated I give her a set of claims depending on the authentication method. I add [Authorize(Policy="CanCreateOrder")] to the CreateOrder action method. The policy has the logic what claims required to authorize user. In case user is not authorized I want to redirect the user to the appropriate login page.

问题是我如何指定应将用户重定向到身份验证的URL?

The question is how I could specify the url where user should be redirected for authentication?

查看 CookieAuthenticationMiddleware ，我看不到如何根据所需的声明指定登录页面.文档建议在配置时设置 LoginPath 属性，但在我的情况下，登录URL取决于我需要授权用户的声明.

Looking at CookieAuthenticationMiddleware I could not see how to to specify login page depending on what claims required. Documentation suggests to set LoginPath property at the configuration time, but in my case login url depends on what claims I need to authorize the user.

推荐答案

您可以为每个不同的声明使用不同的身份验证方案:

You can use different authentication scheme for each different claim:

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "Phone",
    LoginPath = "<phone - path>"
    ....
}

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "Password",
    LoginPath = "<password - path>"
    ....
}

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "TwoFactor",
    LoginPath = "<twofactor - path>",
    ....
}

然后使用:

[Authorize(Policy="CanCreateOrder", ActiveAuthenticationSchemes = "Phone")]

您还可以使用多种方案:

Also you can use multiple scheme:

[Authorize(Policy="CanCreateOrder", ActiveAuthenticationSchemes = "Phone,TwoFactor")]

请参见 https://docs.asp.net/en/最新/安全/授权/limitingidentitybyscheme.html

这篇关于针对不同声明的多个登录页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！