如何让在ASP.NET多种验证方法？ [英] How to allow multiple authentication methods in ASP.NET?

问题描述

我建立一个新的ASP.NET MVC应用程序（在C＃），并要求之一是创建成员的一个新的数据库。对于这一点，我们需要角色来管理不同类型的成员和配置文件来管理连接到每个成员的其他元数据。到目前为止好，只需使用标准的MembershipProvider，RoleProvider和ProfileProvider提供的.NET Framework的一部分。

I'm building a new ASP.NET MVC application (in C#) and one of the requirements is to create a new database of members. For this, we'd need roles to manage the different types of members and profiles to manage the additional metadata attached to each member. So far so good, just use the standard MembershipProvider, RoleProvider and ProfileProvider provided as part of the .NET Framework.

不过，美中不足的是，我想允许不同的身份验证方法。我想帐户和登录凭据有一个一对多的关系（一个帐户可以有多个登录凭证附后​​）。 A为例的用户，可能既有OpenID和ActiveDirectory的帐户连接到他们的帐户。

However, the catch is that I'd like to allow different authentication methods. I'd like Accounts and Login Credentials to have a one-to-many relationship (one account can have a number of login credentials attached). A user for example, might have both an OpenID and ActiveDirectory account attached to their account.

然而，我们选择了的MembershipProvider路由的几种方法试验后（解释它是如何实现的，如下答案）。

However, after experimenting with a few ways we opted for the MembershipProvider route (explained how it was achieved as an answer below).

我的问题是，如何才有人这样做过，如何将人建议我的做法呢？这似乎是上相当数量的网站取得了一些成绩，但在这里搜索不返回任何固体玩左右。

My question is, how have people done this before and how would people suggest I approach it? It appears to be something that is achieved on quite a number of sites, yet a search on here doesn't return anything solid to play around with.

编辑：环顾小时通宵的大好时期，这早晨起床后 - 我仍然没有convincinced的屠宰单一的MembershipProvider将是最简单的选择。是否有多个MembershipProviders给予同样的效果呢？

After looking around for a good period of hours overnight and this morning - I'm still not convincinced that butchering a single MembershipProvider would have been the easiest option. Does having multiple MembershipProviders give the same effect?

BOUNTY编辑：由于没有反应，我假设没有更多的是一个我张贴作为一个答案最佳解决方案。这是真的吗？我提供赏金尝试，看看是否有人有这样的想法更多，以及是否有更好的选择。

BOUNTY With no responses, I am assuming that there is no more optimal solution that the one I posted as an answer. Is this really the case? I'm offering a bounty to try and see if anyone has any further thoughts on this and whether there are better alternatives.

BOUNTY接受编辑：我认为WIF是答案如下接受，对于.NET 4发布，也许其它的版本，因为它可能与3.5的作品。除此之外，也许屠杀的MembershipProvider或改装人们可能仍然是相关的。

BOUNTY ACCEPT I think that WIF is the answer as accepted below, for a .NET 4 release and maybe other versions as it probably works with 3.5. Other than that, maybe a butchered MembershipProvider or adapted one may still be relevant.

推荐答案

在我看来，这样的真正的方式是使用与联盟的 WIF （Windows标识基础，以前日内瓦框架）。

In my opinion, the "real way" of doing this is to use federation with WIF (Windows Identity Foundation, formerly Geneva framework).

的想法是，你分开的验证的距离的授权的。该认证是由所谓的STS（安全令牌服务）来执行并管理所有你想要支持的可能的登录机制。当用户已经被认证的STS发出包含权利要求书和用户的身份令牌。
此标记被发送到网站（称为在此术语依赖方），以及网站确定用户有权访问基于令牌中的权利要求中的网站的部分。 WIF同时提供了成员资格和角色提供程序提取令牌信息。

The idea is that you separate authentication from authorization. The authentication is performed by a so-called STS (Security Token Service) and it manages all the possible login mechanism that you want to support. When a user has been authenticated the STS issues a token containing a set of claims and the user's identity. This token is sent to the web site (called a relying party in this lingo), and the website determines which parts of the site the user has access to based on the claims in the token. WIF supplies both membership and role providers that extract information from token.

您可以阅读有关创建这里声称知道网站。

You can read about creating a claims aware website here.

这种方法的优点是身份验证和授权的关注点分离。你不需要在你的网站任何复杂的成员和roleproviders。此外，STS可以重复使用他们无需注册不止一次来验证用户身份到其他应用程序，你可能有（有效地实现单点登录）

One of the pros of this approach is the separation of concerns between authentication and authorization. You do not need any complex membership and roleproviders in your website. Furthermore the STS can be reused to authenticate users to other applications you might have without them having to register more than once (effectively achieving single sign-on)

缺点是，你将不得不花一些时间研究这些概念和编码您STS。你要知道，这是不难code。与WIF的STS，但它不是一个100％的简单的任务无论是。

The downside is that you will have to spend some time studying these concepts and coding your STS. Mind you, it is not hard to code an STS with WIF, but it is not a 100% trivial task either.

如果我已设法通过阅读<一胳肢你的兴趣，我建议你开始href=\"http://download.microsoft.com/download/7/D/0/7D0B5166-6A8A-418A-ADDD-95EE9B046994/WindowsIdentityFoundationWhitepaperForDevelopers-RTW.pdf\">this白皮书。

If I have managed to tickle your interest I would recommend that you start out by reading this whitepaper.

亲切的问候，

克劳斯

这篇关于如何让在ASP.NET多种验证方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！