在不同的域登录页面 [英] Login page on different domain
问题描述
我是完全新的OWIN认证,我一定是误解一切是如何工作的,但我不能找到这个提及任何地方。
我要的是能够使用中央域进行身份验证。如果有人试图访问 apps.domain.com 未通过身份验证的时候,他们将被重定向到 accounts.domain.com/login ,使所有的认证被分离到它自己的域和应用程序。这是很容易与MVC 4窗体身份验证,您可以指定一个完整的URL,但似乎并没有要与OWIN。
在 Startup.Auth.cs :
app.UseCookieAuthentication(新CookieAuthenticationOptions
{
LOGINPATH =新PathString(/帐号/登录)
}
这很容易设置与 CookieDomain 选项饼干时指定的域。但是,当您指定重定向到登录路径,它必须是相对于当前的应用程序,让我怎么去实现MVC中的哪是那么容易4窗体身份验证?
没有得到太多的深成什么OWIN验证是一回事,我找不到任何一个几个小时的搜索后,解决该问题。
公共类启动{
公共无效配置(IAppBuilder应用程序){
app.UseCookieAuthentication(新CookieAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Active,
LOGINPATH =新PathString(/帐号/登录),
LogoutPath =新PathString(/帐号/注销),
供应商=新CookieAuthenticationProvider {OnApplyRedirect = ApplyRedirect},
});
} 私有静态无效ApplyRedirect(CookieApplyRedirectContext上下文){
乌里绝对URI;
如果(Uri.TryCreate(context.RedirectUri,UriKind.Absolute,出绝对URI)){
VAR路径= PathString.FromUriComponent(绝对URI);
如果(路径== context.OwinContext.Request.PathBase + context.Options.LoginPath)
context.RedirectUri =http://accounts.domain.com/login+
新的查询字符串(
context.Options.ReturnUrlParameter,
context.Request.Uri.AbsoluteUri);
} context.Response.Redirect(context.RedirectUri);
}
}
如果apps.domain.com是唯一返回URL基地可能的话,你应该认真考虑更换 context.Request.Uri.AbsoluteUri 与背景.Request.PathBase + context.Request.Path + context.Request.QueryString 和验证服务器建立绝对回报的网址,以保护您的应用中辱骂重定向。
希望这有助于;)
修改:你可能会问自己,我为什么不使用 context.RedirectUri 属性直接应用重定向。事实上, ICookieAuthenticationProvider.ApplyRedirect 负责多个重定向,对应的登录和注销流程(是的,我知道,它打破了单一职责原则.. )。但是,还有更糟糕的: context.RedirectUri 既可以重新present在登录流量或最终的浏览器的目标(即年初验证端点的绝对URL。真正的相对返回URL)时有效地发送该cookie回浏览器...这就是为什么我们需要确保 context.RedirectUri 是绝对的对应已注册的 context.Options.LoginPath 。
I am completely new to OWIN authentication, and I must be misunderstanding how everything works, but I can't find this mentioned anywhere.
All I want is to be able to use a central domain for authentication. If someone tries to access apps.domain.com when not authenticated, they will be redirected to accounts.domain.com/login so that all the authentication is separated into it's own domain and application. This was very easy with MVC 4 forms authentication where you can specify a full URL, but doesn't seem to be with OWIN.
In Startup.Auth.cs:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/account/login")
}
It's easy to specify the domain when setting the cookie with the CookieDomain option. However, when you specify the login path to redirect to, it has to be relative to the current application, so how do I go about accomplishing what was so easy in MVC 4 forms authentication?
Without getting too deep into what OWIN authentication is all about, I could not find anything addressing this after a couple hours of searching.
public class Startup {
public void Configuration(IAppBuilder app) {
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Active,
LoginPath = new PathString("/account/login"),
LogoutPath = new PathString("/account/logout"),
Provider = new CookieAuthenticationProvider { OnApplyRedirect = ApplyRedirect },
});
}
private static void ApplyRedirect(CookieApplyRedirectContext context) {
Uri absoluteUri;
if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri)) {
var path = PathString.FromUriComponent(absoluteUri);
if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
context.RedirectUri = "http://accounts.domain.com/login" +
new QueryString(
context.Options.ReturnUrlParameter,
context.Request.Uri.AbsoluteUri);
}
context.Response.Redirect(context.RedirectUri);
}
}
If apps.domain.com is the only return URL base possible, you should strongly consider replacing context.Request.Uri.AbsoluteUri with context.Request.PathBase + context.Request.Path + context.Request.QueryString and build an absolute return URL in your authentication server to protect your apps from abusive redirects.
Hope this helps ;)
EDIT: you might ask yourself why I don't directly apply the redirect using the context.RedirectUri property. In fact, ICookieAuthenticationProvider.ApplyRedirect is responsible of multiple redirects, corresponding to the log-in and log-out flows (yep, I know, it breaks the single responsibility principle...). But there's even worse: context.RedirectUri can either represent the authentication endpoint's absolute URL in the beginning of the log-in flow or the final browser's destination (ie. the real relative "return URL") when the cookie is effectively being sent back to the browser... that's why we need to make sure that context.RedirectUri is absolute and corresponds to the registered context.Options.LoginPath.
这篇关于在不同的域登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
