如何在 IdentityServer4 中进行多步登录? [英] How to do multiple-step login in IdentityServer4?

问题描述

我们使用的是 IdentityServer3，隐式授权和登录由多个屏幕组成.在 IdentityServer3 中，内置了对这种多步登录工作流的支持(例如接受 EULA、双因素登录等)，该功能称为部分登录"，甚至还有一个示例:https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService/CustomUserService

We were using IdentityServer3, implicit grant and the login consists of multiple screen. In IdentityServer3, there's built in support for such multiple step login workflow (for example for accepting EULA, two-factor login, etc.), The feature called "partial login" and there is even an example: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService/CustomUserService

我们最近升级到了 AspNetCore 和 IdentityServer4，想知道如何实现相同的目标?也就是说，在第一步检查用户名和密码，如果正确，将其安全地存储(例如在加密的 cookie 中)以供下一步使用.

We've recently upgraded to AspNetCore and IdentityServer4 and wondering how suppose to achieve the same? That is, check username and password in the first step, and if correct, store it securely (for example in an encrypted cookie) for the next step(s).

推荐答案

我们的解决方案是复制 IdentityServer3 的部分登录:使用自定义 cookie 在步骤之间保留数据.

Our solution was to replicate the IdentityServer3's partial login: use a custom cookie to persist data between steps.

首先，我们需要注册我们的自定义 cookie 身份验证(在 Startup.Configure 中)

First, we need to register our custom cookie authentication (at Startup.Configure)

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "my-partial",
    AutomaticAuthenticate = false,
    AutomaticChallenge = false
});

1. 登录工作流的第一步/入口点应映射到 GET/account/login(从 IdentityServer4 1.0.0-rc2 开始).

1. The first step/entry point of the login workflow should be mapped to GET /account/login (as of IdentityServer4 1.0.0-rc2).

在第二步中，在发送和验证凭据后，我们将用户名(以及最终的任何其他数据)保存到 cookie 中.

In second step, after the credentials are sent and verified, we persist the username (and eventually any other data) into a cookie.

代码:

var claims = new []
{
    new Claim("my-user", username),
    new Claim("some-attribute", someAttribute)
};

await HttpContext.Authentication
    .SignInAsync("my-partial", new ClaimsPrincipal(new ClaimsIdentity(claims)));

重要:避免使用 POST/account/login 作为第二步.因为无论您的结果如何，IdentityServer 的中间件都会将您重定向回授权端点(从 RC2 开始).选择任何其他路径即可.

Important: avoid using POST /account/login as a second step. Because regardless of your result, IdentityServer's middleware will redirect you back to the authorization endpoint (as of RC2). Just pick any other path.

1. 最后一步，关键部分
   • 我们从 cookie 中读取持久化数据
   • 删除部分 cookie
   • 登录真实"用户
   • 重定向到 returnUrl(这是作为查询参数添加到第一步的.不要忘记发送)

代码中

var partialUser = await HttpContext.Authentication.AuthenticateAsync("my-partial");
var username = partialUser?.Claims.FirstOrDefault(c => c.Type == "dr-user")?.Value;

var claims = new [] { /* Your custom claims */};

await HttpContext.Authentication
    .SignOutAsync("my-partial");

await HttpContext.Authentication
    .SignInAsync(username, username, claims);

return Redirect(returnUrl);

此外，您可能想要验证输入，例如返回第一步，如果没有部分 cookie 等.

In addition, you might want to validate inputs, for example return to the first step, if there is no partial cookie, etc.

这篇关于如何在 IdentityServer4 中进行多步登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！