.Net Core WindowsIdentity 模拟似乎不起作用 [英] .Net Core WindowsIdentity impersonation does not seem to be working

问题描述

我有以下代码:

var baseUrl = "https://" + GetIdentityProviderHost(environment) + "/oauth2/authorize";
var query = $"?scope=openid&response_type=code&redirect_uri={redirectUrl}&client_id={clientId}";
var combinedUrl = baseUrl + query;

var currentUser = WindowsIdentity.GetCurrent(); 

await WindowsIdentity.RunImpersonated(currentUser.AccessToken, async() =>
{
    using (var client = new WebClient{ UseDefaultCredentials = true })
    {
        var response = client.DownloadString(combinedUrl);          
        Console.WriteLine(response);
    }
});

它基本上构造一个 URL，然后调用它.

It basically constructs a URL and then calls it.

调用返回 401(未经授权).

The call returns with a 401 (Unauthorized).

但是如果我使用 combinedUrl 并将其粘贴到 chrome 或 postman 中，它完美运行.这告诉我我的通话可以正常工作，因为 Chrome 正在使用我的 Windows 凭据进行通话.

But if I take the combinedUrl and paste it into chrome or postman it works perfectly. That tells me that my call can work because Chrome is using my Windows Credentials to make the call.

我添加了 WindowsIdentity.RunImpersonated 代码来尝试解决这个问题.不过好像没什么效果.

I added the WindowsIdentity.RunImpersonated code to try to get around this issue. But it seems to not have had any effect.

如何使用集成 Windows 身份验证 (IWA) 进行网络呼叫?

详情:

如果我运行以下 cURL 命令，它会起作用:

If I run the following cURL command it works:

curl -L --negotiate -u : -b ~/cookiejar.txt "https://myIdp.domain.net/oauth2/authorize?scope=openid&response_type=code&redirect_uri=https://localhost:5001&client_id=my_client_id_here"

我不知道如何在 C# 代码中复制所有这些.

I am not sure how to replicate all that in C# code.

仅供参考:我在这个问题中专门询问了这个 cURL 命令(因为这个问题的重点是模拟):在 .Net Core 3.1 中使用重定向和 Cookie 复制 cURL 命令

FYI: I have asked about this cURL command specifically in this question (since this question was focused on impersonation): Replicate cURL Command Using Redirect and Cookies in .Net Core 3.1

推荐答案

我面前没有 Windows 框，所以我无法彻底验证这一点.但这似乎有点像蛇坑，基于讨论，例如在这里(尤其是从这条评论开始):https://github.com/dotnet/runtime/issues/24009#issuecomment-544511572

I don't have a Windows box in front of me, so I cannot verify this thoroughly. But this seems to be a bit of a snake pit, based on the discussion e.g. here (especially from this comment down): https://github.com/dotnet/runtime/issues/24009#issuecomment-544511572

对于如何在异步调用中保持身份，似乎有各种不同的意见.

There seems to be various opinions on how to keep the Identity across an async call.

但是如果您查看该评论中的示例，

but if you look at the example in that comment,

app.Use(async (context, next) =>
{
    await WindowsIdentity.RunImpersonated(someToken, () => next());
});

它看起来不像您作为 WindowsIdentity.RunImpersonated 的第二个参数发送的 func 应该是异步的.

it doesn't look like the func you send in as the second argument of WindowsIdentity.RunImpersonated should be async.

你试过了吗:

var baseUrl = "https://" + GetIdentityProviderHost(environment) + "/oauth2/authorize";
var query = $"?scope=openid&response_type=code&redirect_uri={redirectUrl}&client_id={clientId}";
var combinedUrl = baseUrl + query;

var currentUser = WindowsIdentity.GetCurrent(); 

await WindowsIdentity.RunImpersonated(currentUser.AccessToken, () =>
{
    using (var client = new WebClient{ UseDefaultCredentials = true })
    {
        var response = client.DownloadString(combinedUrl);          
        Console.WriteLine(response);

    }
});

您可以在 WindowsIdentity.RunImpersonated 上找到 Microsoft 文档:https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.runimpersonated?view=netcore-3.1

You can find the Microsoft docs on WindowsIdentity.RunImpersonated here: https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.runimpersonated?view=netcore-3.1

这篇关于.Net Core WindowsIdentity 模拟似乎不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！