UseCookieAuthentication与UseExternalSignInCookie [英] UseCookieAuthentication vs. UseExternalSignInCookie
问题描述
我用Owin通过谷歌OAuth的授权。这里是我的饼干是如何配置的:
I use Owin to authorize through Google oAuth. Here is how my cookies are configured:
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Authentication/Login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
所以我同时使用UseCookieAuthentication和UseExternalSignInCookie,它似乎是多余的。这两个AuthenticationTypes我应该指定IAuthenticationManager方法(签到,SingOUt等)?或者我应该保持只是其中之一?
So am using both UseCookieAuthentication and UseExternalSignInCookie and it seems redundant. Which of these two AuthenticationTypes should I specify for IAuthenticationManager methods (SignIn, SingOUt, etc.)? Or should I keep just one of them?
更新最令我困惑签到是方法:
Update. What confuses me most is SignIn method:
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
所以signsout从ExternalCookie,但在ApplicationCookie迹象。
So signsout from ExternalCookie, but signs in ApplicationCookie.
推荐答案
您需要所有这些,如果你想谷歌登录工作。这是如何工作的。在OWIN管道,有三种中间件组件:(1)在cookie认证中间件在主动模式下运行,(2)cookie认证中间件的另一个实例,但在被动模式下运行,以及(3)谷歌认证中间件。这将是像这样。
You need all of them, if you want Google sign in to work. This is how it works. In the OWIN pipeline, you have three middleware components: (1) the cookie authentication middleware running in active mode, (2) another instance of cookie authentication middleware but running in passive mode, and (3) Google authentication middleware. That will be like so.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
...
}); // Active
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Passive
app.UseGoogleAuthentication(...);
当有一个401,你的用户被重定向到谷歌。在那里,和谷歌的用户登录验证凭据。谷歌则用户重定向回您的应用程序。在这一点上,谷歌认证的中间件获取登录信息,适用的赠款(读取外部饼干)和短路的OWIN管道重定向到外部回调URL,它对应于 ExternalLoginCallback 的AccountController 。因此,在当请求到达您的应用程序作为重定向的结果这一点上,你得到的用户名和电子邮件声明外部的cookie。
When there is a 401, your user gets redirected to Google. There, your user logs in and Google validates the credential. Google then redirects the user back to your app. At this point, Google authentication middleware gets the login info, applies a grant (read external cookie) and short circuits the OWIN pipeline and redirects to the external callback URL, which corresponds to ExternalLoginCallback action method of AccountController. So, at this point when the request comes to your app as a result of redirect, you get the external cookie with the user name and email claims.
为了读取这个cookie和检索从谷歌的数据(用户名等),可以使用在被动模式下运行cookie认证的中间件。由于该中间件在被动模式下运行时,它必须被告知读取该cookie。这时候,调用 AuthenticationManager.GetExternalLoginInfoAsync()在 ExternalLoginCallback 操作方法进行会发生什么。在这一点上,来自外部的cookie身份已经成立,这个身份包含来自谷歌只有名称和电子邮件的要求。
In order to read this cookie and retrieve the data (user name, etc) from Google, you use the cookie authentication middleware running in passive mode. Since this middleware runs in passive mode, it must be told to read the cookie. That's what happens when call to AuthenticationManager.GetExternalLoginInfoAsync() is made in the ExternalLoginCallback action method. At that point, identity from the external cookie has been established and this identity contains only the name and email claims from Google.
通常情况下,在这一点上,你需要从你的应用程序的数据存储检索用户的具体信息,并加入到身份的更多的要求。所以,你叫 Signout 在外部cookie的中间件,这也将确保外部Cookie由过期不再送回来。因此,利用现有的身份信息在那个时候, UserManager.FindAsync 是所谓的 ExternalLoginCallback 操作方法,应返回与所有应用程序具体主张用户。使用新的身份,你叫签到在主动模式下运行cookie认证的中间件。这将确保一个新的cookie被创建。相比于外部的cookie,这种新的cookie包含所有应用程序的特定要求。随后,你得到这个cookie回来,在主动模式下运行cookie认证中间件积极读取cookie并建立身份与所有应用特定要求的完整列表。
Typically, at this point you will need to retrieve user specific information from your application data store and add more claims to the identity. So, you call Signout on the external cookie middleware, which will also ensure the external cookie gets no longer sent back by expiring it. So, using the identity information available at that time, UserManager.FindAsync is called in the ExternalLoginCallback action method, which should return the user with all application specific claims. Using that new identity, you call SignIn on the cookie authentication middleware running in active mode. This ensures a new cookie is created. Compared to the external cookie, this new cookie contains all the application specific claims. Subsequently, you get this cookie back and the cookie authentication middleware running in active mode actively reads the cookie and establishes identity with complete list of all application specific claims.
所以,如果你不叫签到,你会不会创建一个包含所有应用程序具体主张该cookie。但它是由你使用一些其他机制。该出的盒子行为是包含所有应用程序的特定要求本地的cookie是通过调用创建签到,随后在主动模式下运行的cookie中间件读取。
So, if you do not call Signin, you will not be creating that cookie containing all application specific claims. But then it is up to you to use some other mechanism. The out of box behavior is that a local cookie containing all the application specific claims is created through that call to SignIn and subsequently read by the cookie middleware running in active mode.
更新:我创建了一个博客帖子解释如何脱身,而不使用两个cookie的中间件实例。 <一href=\"http://lbadri.word$p$pss.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/\">http://lbadri.word$p$pss.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/
UPDATE: I have created a blog post to explain how you can get away without using two cookie middleware instances. http://lbadri.wordpress.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/
这篇关于UseCookieAuthentication与UseExternalSignInCookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
