不同域的登录页面 [英] Login page on different domain
问题描述
我对 OWIN 身份验证完全陌生,我一定误解了一切是如何工作的,但我在任何地方都找不到提及的内容.
I am completely new to OWIN authentication, and I must be misunderstanding how everything works, but I can't find this mentioned anywhere.
我想要的只是能够使用中央域进行身份验证.如果有人在未通过身份验证时尝试访问 apps.domain.com,他们将被重定向到 accounts.domain.com/login,以便将所有身份验证分离为自己的领域和应用.这对于 MVC 4 表单身份验证非常容易,您可以在其中指定完整的 URL,但 OWIN 似乎没有.
All I want is to be able to use a central domain for authentication. If someone tries to access apps.domain.com when not authenticated, they will be redirected to accounts.domain.com/login so that all the authentication is separated into it's own domain and application. This was very easy with MVC 4 forms authentication where you can specify a full URL, but doesn't seem to be with OWIN.
在Startup.Auth.cs中:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/account/login")
}
使用 CookieDomain 选项设置 cookie 时可以轻松指定域.但是,当您指定要重定向到的登录路径时,它必须与当前应用程序相关,那么我该如何完成 MVC 4 表单身份验证中如此简单的事情?
It's easy to specify the domain when setting the cookie with the CookieDomain option. However, when you specify the login path to redirect to, it has to be relative to the current application, so how do I go about accomplishing what was so easy in MVC 4 forms authentication?
在没有深入了解 OWIN 身份验证的全部内容的情况下,经过几个小时的搜索,我找不到任何解决此问题的方法.
Without getting too deep into what OWIN authentication is all about, I could not find anything addressing this after a couple hours of searching.
推荐答案
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
LoginPath = new PathString("/account/login"),
LogoutPath = new PathString("/account/logout"),
Provider = new CookieAuthenticationProvider
{
OnApplyRedirect = ApplyRedirect
},
});
}
private static void ApplyRedirect(CookieApplyRedirectContext context)
{
Uri absoluteUri;
if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
{
var path = PathString.FromUriComponent(absoluteUri);
if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
{
context.RedirectUri = "http://accounts.domain.com/login" +
new QueryString(
context.Options.ReturnUrlParameter,
context.Request.Uri.AbsoluteUri);
}
}
context.Response.Redirect(context.RedirectUri);
}
}
如果 apps.domain.com 是唯一可能的返回 URL 库,您应该强烈考虑将 context.Request.Uri.AbsoluteUri 替换为 context.Request.PathBase + context.Request.Path + context.Request.QueryString 并在您的身份验证服务器中构建一个绝对返回 URL,以保护您的应用免受滥用重定向.
If apps.domain.com is the only return URL base possible, you should strongly consider replacing context.Request.Uri.AbsoluteUri with context.Request.PathBase + context.Request.Path + context.Request.QueryString and build an absolute return URL in your authentication server to protect your apps from abusive redirects.
希望这有帮助;)
编辑:您可能会问自己为什么我不使用 context.RedirectUri 属性直接应用重定向.事实上,ICookieAuthenticationProvider.ApplyRedirect 负责多个重定向,对应登录和注销流程(是的,我知道,它打破了单一职责原则......).但还有更糟糕的情况:context.RedirectUri 既可以表示登录流程开头的身份验证端点的绝对 URL,也可以表示最终浏览器的目的地(即真正的相对返回 URL"),当cookie 被有效地发送回浏览器......这就是为什么我们需要确保 context.RedirectUri 是绝对的并且对应于注册的 context.Options.LoginPath.
EDIT: you might ask yourself why I don't directly apply the redirect using the context.RedirectUri property. In fact, ICookieAuthenticationProvider.ApplyRedirect is responsible of multiple redirects, corresponding to the log-in and log-out flows (yep, I know, it breaks the single responsibility principle...). But there's even worse: context.RedirectUri can either represent the authentication endpoint's absolute URL in the beginning of the log-in flow or the final browser's destination (ie. the real relative "return URL") when the cookie is effectively being sent back to the browser... that's why we need to make sure that context.RedirectUri is absolute and corresponds to the registered context.Options.LoginPath.
这篇关于不同域的登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
