凡过滤身份索赔2.0门票在应用程序的WebAPI？ [英] Where to filter Identity 2.0 claim ticket in a WebAPI app?

问题描述

ASP.NET应用使用的OWIN允许多个身份源（Facebook，谷歌等）。大多数提供商 - specifc那些信息源提供无关我的应用程序，甚至可能大，我不希望在我的饼干所有的会话。我的应用程序主要的WebAPI，但我怀疑这个问题同样适用于MVC和WebForms的。

ASP.NET apps using OWIN permit multiple Identity sources (Facebook, Google, etc.). Most of the provider-specifc information those sources provide is irrelevant to my app, potentially even large, and I don't want it in my cookies all session. My app is primarily WebAPI, but I suspect the question applies equally to MVC and WebForms.

现在，我需要的是一个整数帐户ID。 在哪里/当我应该重建的身份，外部认证后？

For now, all I need is an integer account ID. Where/when should I reconstruct the identity, after external authentication?

例如，这里有一种方法，我可以过滤声明：

For example, here is one way I could filter claims:

public ReplaceExistingClaims(ClaimsIdentity identity) {
{
    Claim customClaim = GetCustomClaimFromDbForIdentity(identity);
    foreach (Claim claim in ClaimsIdentity.Claims) ClaimsIdentity.RemoveClaim(claim);
    ClaimsIdentity.AddClaim(customClaim);
}

和下面是两个不同的地方我的可能的注入这些说法的变化：

And following are two different places I could inject those claims changes:

var facebookAuthenticationOptions = new FacebookAuthenticationOptions
{
    Provider = new FacebookAuthenticationProvider
    {
        OnAuthenticated = context =>
        {
            ReplaceExistingClaims(context.Identity);
            return Task.FromResult(0);
        }
    }
};

以上，我知道我能勾从启动个人提供商，如果它提供了一个认证事件。我有这个两概念问题。一：它要求我写来包装我的code分别为每个供应商我插上二：没有为供应商提供该事件没有任何要求。这两个让我觉得必须有我的code不同预期的插入点。

Above, I know I can hook an individual provider from Startup IF it provides an Authenticated event. I have two conceptual problems with this. One: it requires me to write and wire up my code separately for each provider I plug in. Two: there is no requirement for providers to provide this event. Both of these make me feel like there must be a different intended insertion point for my code.

public ActionResult ExternalLoginCallback(string returnUrl)
{
    ReplaceExistingClaims((ClaimsIdentity)User.Identity);
    new RedirectResult(returnUrl);
}

以上，我知道我可以把code在 ExternalLoginCallback 。但这种情况有两个原因为时已晚。一：用户已经发行的票，我认为无效，但默认的 [授权] ，因为它是由我签署认为有效，现在他们正在请求我的网站用它。甚至有可能是这里的比赛条件。二：有没有保证，浏览器会访问这个重定向，而且我$从设计的角度p $ PFER如果没得，例如为了简化我的WebAPI客户code。

Above, I know I can put code in ExternalLoginCallback. But this happens too late for two reasons. One: The user has already been issued a ticket I consider invalid, but the default [Authorized] considers valid because it's signed by me, and now they are making requests to my site with it. There could even be race conditions here. Two: There is no guarantee the browser will visit this redirect, and I'd prefer from a design perspective if it didn't have to, e.g. to simplify my WebAPI client code.

要尽我所知，最好的解决方案将满足这些要求：

To the best of my knowledge, the best solution will meet these requirements:

1. 同样code适用于所有的供应商


2. 客户端接收从我的服务器我的定制票（例如没有图像索赔）


3. 客户端永远不会收到另一张机票的格式从我的服务器


4. 验证过程需要尽可能小的HTTP往返


5. 标记刷新等核心功能的身份仍然可用


6. 一旦用户是 [授权] D，没有进一步的帐户转换是必要


7. 数据库/存储库访问是票代
在可行

1. same code applies to all providers
2. client receives my custom ticket from my server (e.g. without image claims)
3. client never receives another ticket format from my server
4. the authentication process requires the minimum possible HTTP round-trips
5. token-refresh and other core identity features are still available
6. once a user is [Authorize]d, no further account transformation is necessary
7. database/repository access is feasible during ticket generation

有些我研究，我自己的笔记：

---

Some pages I'm researching, for my own notes:

• How我做访问Microsoft.Owin.Security.xyz OnAuthenticated背景下AddClaims值？


• https://katanaproject.$c$cplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationHandler.cs


• 的https：//katanaproject.$c$cplex.com/workitem/82


• 的https://www.simple-talk.com/dotnet/.net-framework/creating-custom-oauth-middleware-for-mvc-5/

• How do I access Microsoft.Owin.Security.xyz OnAuthenticated context AddClaims values?
• https://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationHandler.cs
• https://katanaproject.codeplex.com/workitem/82
• https://www.simple-talk.com/dotnet/.net-framework/creating-custom-oauth-middleware-for-mvc-5/

推荐答案

的 ClaimsAuthenticationManager 类是专门为这个。

<一个href=\"https://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager(v=vs.110).aspx\" rel=\"nofollow\">https://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthenticationmanager(v=vs.110).aspx

从参考code样品：<​​/ P>

Code sample from that reference:

class SimpleClaimsAuthenticatonManager : ClaimsAuthenticationManager
{
    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
        {
            ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "User"));
        }
        return incomingPrincipal; 
    }
}

这篇关于凡过滤身份索赔2.0门票在应用程序的WebAPI？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！