强制其他用户刷新其与ASP.NET身份2.1.0声明 [英] Force another user to refresh their Claims with ASP.NET Identity 2.1.0
问题描述
我用 Asp.NET身份2.1.0 和我存储帐户列表,一个用户访问,如索赔。在 ClaimsIdentity 时生成用户的迹象:
I'm using Asp.NET Identity 2.1.0 and I store a list of Accounts that a User has access to, as Claims. The ClaimsIdentity is generated when the User signs in:
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Add Claims concerning Account
userIdentity.AddClaim(new Claim("AccountList", SerializedListOfAccounts));
return userIdentity;
}
让我们说,一个管理员撤销的用户A 访问特定的帐户。我怎么能强迫用户A 来再生它的 ClaimsIdentity ?请记住,这是不是在用户A 的情况下。而且我不希望等到该cookie已过期(和一个新的 ClaimsIdentity 自动生成。
Let's say that an Administrator revokes User A's access to a specific Account. How can I force User A to regenerate its ClaimsIdentity? Remember that it isn't in the context of User A. And I don't want to wait until the cookie has expired (and a new ClaimsIdentity is automatically generated.
这可能吗?是不是有没有办法告诉服务器把用户A的饼干为无效,并迫使它来重新生成它?
Is it possible? Isn't there a way to tell the server to regard User A's cookie as invalid and force it to regenerate it?
我想这种行为的原因是为了创建一个自定义 AuthorizeAttribute ,我可以在我的控制器把它检查声明,看是否有用户访问与否,以避免额外的往返到数据库中。
The reason I want this behaviour is to create a custom AuthorizeAttribute that I can put on my controllers that checks the Claims to see if a User has access or not, to avoid an extra round trip to the database.
推荐答案
您不能存储他们的cookie的主张,但应用它们对每个请求的管道年初的身份。你必须破解 Startup.Auth.cs 来做到这一点。我这样做只是<一个href=\"https://github.com/trailmax/ClaimsAuthorisation/blob/master/ClaimsAuth/App_Start/Startup.Auth.cs#L45\">here.
You can not store their claims on cookie, but apply them on every request to the identity early in the pipeline. You'll have to hack Startup.Auth.cs to do that. I'm doing just that here.
和这里的要点你可以工作:
And here is the gist you can work with:
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
Provider = GetMyCookieAuthenticationProvider(),
// other configurations
});
// other usual code
}
private static CookieAuthenticationProvider GetMyCookieAuthenticationProvider()
{
var cookieAuthenticationProvider = new CookieAuthenticationProvider();
cookieAuthenticationProvider.OnValidateIdentity = async context =>
{
// execute default cookie validation function
var cookieValidatorFunc = SecurityStampValidator.OnValidateIdentity<UserManager, ApplicationUser>(
TimeSpan.FromMinutes(10),
(manager, user) =>
{
var identity = manager.GenerateUserIdentityAsync(user);
return identity;
});
await cookieValidatorFunc.Invoke(context);
// sanity checks
if (context.Identity == null || !context.Identity.IsAuthenticated)
{
return;
}
// get your claim from your DB or other source
context.Identity.AddClaims(newClaim);
};
return cookieAuthenticationProvider;
}
}
这需要在每次请求申请索赔,这可能不是很高性能的缺点。但在正确的地方缓存适量会有所帮助。另外这块code是不工作的最容易的地方,因为它是在管道很早,你需要管理自己的的DbContext 等的依赖关系。
The drawbacks that you need to apply claims on every request and this might be not very performant. But right amount of caching in the right place will help. Also this piece of code is not the easiest place to work, as it is very early in the pipeline and you need to manager yourself DbContext and other dependencies.
有利的一面是,权利要求书马上应用到每一个用户的请求,你会得到权限的立即改变,而无需重新登录。
The upsides are that the claims are applied right away to every user's request and you get immediate change of permissions without having to re-login.
这篇关于强制其他用户刷新其与ASP.NET身份2.1.0声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
