仅针对特定帐户的 Google ASP.NET Core 身份验证 [英] ASP.NET Core authentication with Google only for a specific account

问题描述

在我的 ASP.NET Core 3 应用程序中，我想实现使用 Google 登录，并且只允许对特定用户进行身份验证.

In my ASP.NET Core 3 app, I'd like to implement login with Google and only allow authentication for specific user(s).

到目前为止我所做的是遵循以下教程:

What I did so far is to follow the tutorial from:

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/social-without-identity?view=aspnetcore-3.0https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-3.0

要使用户仅获得特定 Google 帐户的授权，接下来的步骤是什么?即使用户成功通过 Google 身份验证，我也只希望特定的 Google 帐户(电子邮件地址)可以访问我的 ASP.NET Core 应用.

What are the next steps to make the user authorized only for specific Google account(s)? Even if the user is authenticated successfully by Google, I want only specific Google account(s) (email addresses) to have access to my ASP.NET Core app.

我尝试的是为 'OnCreatingEvent' 事件设置一个委托，但我不知道如何拒绝授权.

What I tried was to set a delegate to the 'OnCreatingEvent' event, but I don't know how to reject authorization.

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddGoogle(options =>
            {
                options.ClientId = Configuration["google-credentials:ClientId"]; 
                options.ClientSecret = Configuration["google-credentials:ClientSecret"];
                options.Events = new OAuthEvents()
                {
                    OnCreatingTicket = HandleOnCreatingTicket
                };
            });

private async Task HandleOnCreatingTicket(OAuthCreatingTicketContext context)
        {
            var user = context.Identity;

            if (user.Claims.FirstOrDefault(m => m.Type == ClaimTypes.Email).Value != "MY ACCOUNT")
            {
                // How to reject authorization?
            }

            await Task.CompletedTask;
        }

推荐答案

您可以创建一个策略来检查用户名声明是否在您允许的用户名列表中，根据您的验证结果返回真/假:

You can create a policy to check whether user's name claim is in your allowed user name list , return true/false base on your validation result :

services.AddAuthorization(options =>
{
    options.AddPolicy("AllowedUsersOnly", policy =>
    {
        policy.RequireAssertion(context =>
        {
            //Here you can get many resouces from context, i get a claim here for example
            var name = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Name)?.Value;

            //write your logic to check user name .


            return false;
        });
    });
}); 

然后你可以在你的控制器/动作上应用策略或注册全局过滤器.

Then you could apply policy on your controller/action or register global filter .

这篇关于仅针对特定帐户的 Google ASP.NET Core 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！