使用 Azure Active Directory 对用户进行身份验证后执行代码 [英] Executing code after user has been authenticated using Azure Active Directory
问题描述
我使用 VS2015 创建了一个 ASP.NET MVC Core (1.1.0) 应用程序.在对话框中,我选择了连接到 Azure AD 的选项,因此 VS 生成了样板代码,并且正如预期的那样,应用程序将我重定向到 Microsoft 的登录页面,在那里我可以使用我的工作和学校帐户登录.
I created an ASP.NET MVC Core (1.1.0) application using VS2015. In the dialog, I selected the option to connect to Azure AD, so VS generated the boilerplate code and, as expected, the app redirects me to Microsoft's login page, where I can login with my work&school account.
现在,在用户登录之后,在提供第一页之前(比如/home/index),我需要从用户那里获取一些我存储在数据库中的信息(例如显示名称、联系信息例如电子邮件、电话号码、地址、用户照片等).
Now, after the user logs in, and before serving the first page (say, /home/index) I need to get some information from the user that I have stored in a database (like the display name, the contact information such as an email, phone number, address, a picture of the user, and so on).
到目前为止,我的想法是添加一个带有检索此信息的方法的 ControllerBase,然后通过 ViewData 将其传递给视图.但是一遍又一遍地查询数据库以获取此信息似乎效率低下.另一种方法是将此信息存储在 cookie 或会话状态中,从而只访问数据库一次.但是必须依赖于 ControllerBase 可能会导致错误(例如,如果在某些控制器方法中忘记调用基类的方法)并且感觉不合适.此外,只有当用户输入带有预定义路径的 URL(如 www.myapp.com/Users/joedoe/Detail)时,家庭控制器上的此功能才会失败.
What I have thought so far is to add a ControllerBase with a method that retrieves this info, and then pass it to the views via ViewData. But querying the database for this info over and over seems inefficient. An alternative would be to store this info in a cookie or in a session state, thus only hitting the database once. But having to depend on a ControllerBase could lead to errors (for instance, if in some controller method one forgets to call the base's method) and doesn't feel like they way to go. Also, having this funcionality on the home controller only could fail if a user enters the URL with a predefined path (as in www.myapp.com/Users/joedoe/Detail).
我搜索并找到了在传递给 Startup 类中的应用程序构建器的 OpenIdConnectOptions 对象中使用 Events 属性的引用:
I searched and found a reference to using the Events property in the OpenIdConnectOptions object passed to the application builder in the Startup class:
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
ClientId = Configuration["Authentication:AzureAd:ClientId"],
Authority = Configuration["Authentication:AzureAd:AADInstance"] + Configuration["Authentication:AzureAd:TenantId"],
CallbackPath = Configuration["Authentication:AzureAd:CallbackPath"],
Events = new OpenIdConnectEvents {
//
}
});
但是,OpenIdConnectEvents 类没有一些OnAuthenticationSucceeded"事件,它只有一个 OnAuthenticationFailed,这不是我想要的,以及其他名称似乎不是我想要的回调.
However, the OpenIdConnectEvents class does not have some "OnAuthenticationSucceeded" event, it only has an OnAuthenticationFailed, which is not what I want, and other callbacks whose names doesn't seem to be what I'm looking for.
那么,我的问题是,我应该与 OpenIdConnectEvents 一起使用的回调是什么,或者,连接到 AAD 以在用户通过身份验证后捕获事件的 ASP.NET MVC Core 应用程序的首选方式是什么?
So, my question, what is the callback I should be using with OpenIdConnectEvents, or, alternatively, what's the preferred way for ASP.NET MVC Core applications that connect to AAD to catch an event after the user has been authenticated?
提前致谢.
推荐答案
有各种各样的 OpenIdConnectEvents 可供您使用.查看SecurityTokenValidated.这会在用户通过 AAD 身份验证并且令牌已经过验证后触发.在这里,您可以在数据库中查找数据并将您自己的声明添加到身份(如角色等).
There is an assortment of various OpenIdConnectEvents you can hook into. Look at SecurityTokenValidated. This fires after the user has authenticated to AAD and the token had been validated. Here you can look up data in a database and add your own claims to the identity (like roles, etc).
此示例从 AAD 解析组名称,但概念是相同的 - 向声明集添加其他数据,您可以在整个应用程序中通过用户主体访问它.使用角色的 ClaimType 将允许您使用 ASP.net 中的现有属性(如 Authorize(Role=...) 属性.
This sample goes and resolves group names from AAD, but the concept is the same - add additional data to the claim set and you can access it through the user principal throughout the application. Using a ClaimType of role will let you use the existing attributes in ASP.net (like the Authorize(Role=...) attribute.
https://github.com/jpda/azure-ad-netcore-sample/blob/master/src/azure-ad-netcore-sample/Startup.cs
这篇关于使用 Azure Active Directory 对用户进行身份验证后执行代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
