凡过滤身份索赔2.0门票在应用程序的WebAPI? [英] Where to filter Identity 2.0 claim ticket in a WebAPI app?
问题描述
ASP.NET应用使用的OWIN允许多个身份源(Facebook,谷歌等)。大多数提供商 - specifc那些信息源提供无关我的应用程序,甚至可能大,我不希望在我的饼干所有的会话。我的应用程序主要的WebAPI,但我怀疑这个问题同样适用于MVC和WebForms的。
ASP.NET apps using OWIN permit multiple Identity sources (Facebook, Google, etc.). Most of the provider-specifc information those sources provide is irrelevant to my app, potentially even large, and I don't want it in my cookies all session. My app is primarily WebAPI, but I suspect the question applies equally to MVC and WebForms.
现在,我需要的是一个整数帐户ID。 在哪里/当我应该重建的身份,外部认证后?
For now, all I need is an integer account ID. Where/when should I reconstruct the identity, after external authentication?
例如,这里有一种方法,我可以过滤声明:
For example, here is one way I could filter claims:
public ReplaceExistingClaims(ClaimsIdentity identity) {
{
Claim customClaim = GetCustomClaimFromDbForIdentity(identity);
foreach (Claim claim in ClaimsIdentity.Claims) ClaimsIdentity.RemoveClaim(claim);
ClaimsIdentity.AddClaim(customClaim);
}
和下面是两个不同的地方我的可能的注入这些说法的变化:
And following are two different places I could inject those claims changes:
var facebookAuthenticationOptions = new FacebookAuthenticationOptions
{
Provider = new FacebookAuthenticationProvider
{
OnAuthenticated = context =>
{
ReplaceExistingClaims(context.Identity);
return Task.FromResult(0);
}
}
};
以上,我知道我能勾从启动
个人提供商,如果它提供了一个认证
事件。我有这个两概念问题。一:它要求我写来包装我的code分别为每个供应商我插上二:没有为供应商提供该事件没有任何要求。这两个让我觉得必须有我的code不同预期的插入点。
Above, I know I can hook an individual provider from Startup
IF it provides an Authenticated
event. I have two conceptual problems with this. One: it requires me to write and wire up my code separately for each provider I plug in. Two: there is no requirement for providers to provide this event. Both of these make me feel like there must be a different intended insertion point for my code.
public ActionResult ExternalLoginCallback(string returnUrl)
{
ReplaceExistingClaims((ClaimsIdentity)User.Identity);
new RedirectResult(returnUrl);
}
以上,我知道我可以把code在 ExternalLoginCallback
。但这种情况有两个原因为时已晚。一:用户已经发行的票,我认为无效,但默认的 [授权]
,因为它是由我签署认为有效,现在他们正在请求我的网站用它。甚至有可能是这里的比赛条件。二:有没有保证,浏览器会访问这个重定向,而且我$从设计的角度p $ PFER如果没得,例如为了简化我的WebAPI客户code。
Above, I know I can put code in ExternalLoginCallback
. But this happens too late for two reasons. One: The user has already been issued a ticket I consider invalid, but the default [Authorized]
considers valid because it's signed by me, and now they are making requests to my site with it. There could even be race conditions here. Two: There is no guarantee the browser will visit this redirect, and I'd prefer from a design perspective if it didn't have to, e.g. to simplify my WebAPI client code.
要尽我所知,最好的解决方案将满足这些要求:
To the best of my knowledge, the best solution will meet these requirements:
- 同样code适用于所有的供应商
- 客户端接收从我的服务器我的定制票(例如没有图像索赔)
- 客户端永远不会收到另一张机票的格式从我的服务器
- 验证过程需要尽可能小的HTTP往返
- 标记刷新等核心功能的身份仍然可用
- 一旦用户是
[授权]
D,没有进一步的帐户转换是必要 - 数据库/存储库访问是票代 在可行
- same code applies to all providers
- client receives my custom ticket from my server (e.g. without image claims)
- client never receives another ticket format from my server
- the authentication process requires the minimum possible HTTP round-trips
- token-refresh and other core identity features are still available
- once a user is
[Authorize]
d, no further account transformation is necessary - database/repository access is feasible during ticket generation
有些我研究,我自己的笔记:
Some pages I'm researching, for my own notes:
- How我做访问Microsoft.Owin.Security.xyz OnAuthenticated背景下AddClaims值?
- https://katanaproject.$c$cplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationHandler.cs
- 的https://katanaproject.$c$cplex.com/workitem/82
- 的https://www.simple-talk.com/dotnet/.net-framework/creating-custom-oauth-middleware-for-mvc-5/
- How do I access Microsoft.Owin.Security.xyz OnAuthenticated context AddClaims values?
- https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationHandler.cs
- https://katanaproject.codeplex.com/workitem/82
- https://www.simple-talk.com/dotnet/.net-framework/creating-custom-oauth-middleware-for-mvc-5/
推荐答案
的 ClaimsAuthenticationManager
类是专门为这个。
<一个href=\"https://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager(v=vs.110).aspx\" rel=\"nofollow\">https://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager(v=vs.110).aspx
从参考code样品:</ P>
Code sample from that reference:
class SimpleClaimsAuthenticatonManager : ClaimsAuthenticationManager
{
public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
{
((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "User"));
}
return incomingPrincipal;
}
}
这篇关于凡过滤身份索赔2.0门票在应用程序的WebAPI?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!