针对 Active Directory 对用户进行身份验证时存储 ASP.NET Core 授权声明的最佳实践? [英] Best practice for storing ASP.NET Core Authorization claims when authenticating users against Active Directory?
问题描述
我正在创建一个企业 Intranet ASP.NET Core MVC 应用程序.我希望我的用户使用 Active Directory 进行身份验证,并且我希望将用户授权(声明)存储在 ApplicationDbContext 中.
I am creating an enterprise intranet ASP.NET Core MVC application. I want my users to authenticate using Active Directory and I want user authorizations (claims) stored in ApplicationDbContext.
我假设我需要使用 Microsoft.AspNetCore.Identity 和 Microsoft.AspNetCore.Identity.EntityFrameworkCore 来实现我的目标.针对 Active Directory 进行身份验证时存储 ASP.NET Core 授权声明的最佳做法是什么?
I assume that I need to use Microsoft.AspNetCore.Identity and Microsoft.AspNetCore.Identity.EntityFrameworkCore to accomplish my goals. What is the best practice for storing ASP.NET Core Authorization claims when authenticating against Active Directory?
以下代码将使我能够从管道中访问当前的 Windows 用户安全上下文(当前登录的用户).我需要以某种方式将用户映射到相关的 Microsoft.AspNetCore.Identity 声明?
The following code will give me access to the current windows user security context (current logged in user), from within the pipeline. Somehow I need to map the user with associated Microsoft.AspNetCore.Identity claims?
app.Use(async (context, next) =>
{
var identity = (ClaimsIdentity) context.User.Identity;
await next.Invoke();
});
提前感谢您的帮助!
推荐答案
我认为没有最佳实践,但您确实有很多选择.也许您可以详细说明您要实现的目标?这里有一些提示可以帮助您解决其中的一些问题.只是一个问题...您在后台使用什么来针对 AD 进行身份验证?如果您使用 IdentityServer 或类似的东西,那么我建议您倾向于选项 4.
I don't think there is a best practice around this, but you do have many options. Perhaps you could elaborate a little on what you're trying to achieve? Here's a few pointers that may help you sort some of this out. Just a question...what are you using to authenticate against AD under the hood? If you use IdentityServer or something similar then I would recommend leaning towards option 4.
首先,声明只是键值对.这意味着您可以创建如下结构:
First off, claims are simply key-value pairs. This means that you could create a structure such as:
public class UserClaim
{
public string UserName {get; set;}
public string Key {get; set;}
public string Value {get; set;}
}
这将允许您将声明存储在 ApplicationUser 类中.
This would allow you to store the claims in your ApplicationUser class.
更好的是,您可以通过注入 UserManager<ApplicationUser> 来利用内置的身份组件.userManager 到您希望添加用户声明的类中,然后使用适当的值调用 AddClaim().由于 Core 中的 DI 系统,您可以在任何将由运行时激活的类中自由地执行此操作.
Better yet, you could leverage the built in identity components by injecting a UserManager<ApplicationUser> userManager into the class where you wish to add the user claims, and then call AddClaim() with the appropriate values. Because of the DI system in Core, you're free to do this in any class that will be activated by the runtime.
另一种方法是使用 UserName 属性扩充 UserClaim 类,然后使用原则的唯一标识符(User.Identity.Name).然后,您可以将其存储在 ApplicationDbContext 中的 DbSet 中,并按用户名获取声明.
An other approach would be to augment the UserClaim class with a UserName property, then use the unique identifier of the principle (User.Identity.Name). Then you could store that in a DbSet<UserClaim> in your ApplicationDbContext and fetch the claims by user name.
如果您只需要访问声明,而不是存储它们(我不确定您的问题的意图),那么您最好只访问 User 属性,如果您重新在控制器中,前提是您使用的身份验证服务可以正确地对声明进行补充.
If you just need to access the claims, and not store them (I'm not sure of your intentions from your question) then you might be best just to access the User property if you're in a controller, provided you're using an authentication service that hydrates the claims correctly.
User 装饰有属于登录到您的应用的用户的声明,并且在每个控制器上都可用.
The User is decorated with the claims that belong to the user that signed in to your app and is available on every controller.
您可以通过其他方式获取 ClaimsPrinciple 并以这种方式访问用户的声明.在这种情况下(在控制器之外),您要做的是将 IHttpContextAccessor 访问器 添加到类的构造函数并导航到 HttpContextAccessor.HttpContext.User 属性,这又是一个ClaimsPrinciple.
You can otherwise obtain the ClaimsPrinciple and access the claims of the user in that manner. In that case (outside of a controller) what you would do is to add an IHttpContextAccessor accessor to the constructor of your class and navigate to the HttpContextAccessor.HttpContext.User property, which is again a ClaimsPrinciple.
这篇关于针对 Active Directory 对用户进行身份验证时存储 ASP.NET Core 授权声明的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
