支持个人用户帐户和机构帐户中MVC5 / ASP.Net身份2 [英] Supporting Individual User Accounts AND Organizational Accounts in MVC5 / ASP.Net Identity 2
问题描述
我创建一个ASP.Net应用MVC5,其中我已经配置(并已工作的罚款),通过谷歌,Facebook等个人用户帐户
I've created an ASP.Net MVC5 application, in which I have configured (and have working fine) Individual User Accounts via Google, Facebook, etc.
我想要做的是还支持对Azure的活动目录(组织帐户)身份验证。这将是内部人员能够登录到应用程序作为管理员。
What I'd like to do is also support authentication against Azure Active Directory (Organizational Accounts). This would be for internal staff to be able to logon to the app as administrators.
所有现有信息/指南/文件,我通常发现使用一种或另一种交易。我将如何使他们两者一起?
All existing information/guides/documentation I've found typically deals with using one or the other. How would I enable them both together?
如果有需要为每种类型的用户,这不会是一个问题,一个单独的登录表单。
If there needs to be a separate logon form for each type of user, that would not be an issue.
编辑:
我一直在寻找的Azure Active Directory的门户网站中的应用程序配置,并注意自己定义一个OAuth 2.0用户授权端点。可以MVC5可以在 Startup.Auth.cs 配置为使用此?
I was looking at the Application configuration within Azure Active Directory portal, and notice that they define an "OAUTH 2.0 AUTHORIZATION ENDPOINT". Can MVC5 be configured within Startup.Auth.cs to use this?
推荐答案
我设法通过做来实现这个如下:
I managed to implement this by doing the following:
第一,加入到 Microsoft.Owin.Security.OpenIdConnect 的NuGet包的参考。
First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.
二,在配置它在我的 Startup.Auth.cs :
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "From the Azure Portal (see below)",
Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (ctx) =>
{
if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
{
string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
}
else
{
ctx.State = NotificationResultState.Skipped;
ctx.HandleResponse();
}
return Task.FromResult(0);
}
},
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
Caption = "SomeNameHere"
}
});
第三,我设置了Azure的门户网站(经典)申请:
Third, I setup the application in the Azure Portal (classic):
![Azure的Active](\"http://i.stack.imgur.com/q2YR9.png\")
第四,我增加了一个单独的登录页面管理员用户:
Fourth, I added a separate logon page for admin users:
@using (Html.BeginForm("ExternalLogin", "Home"))
{
@Html.AntiForgeryToken()
<div class="ui basic segment">
<div class="ui list">
<div class="item">
<button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
<i class="windows icon"></i>
<span>My Org Name</span>
</button>
</div>
</div>
</div>
}
第五的 ExternalLogin 操作并不需要改变 - 我们只是让OWIN中间件重定向我们到外部登录页面。然后,流程将引导用户回到 ExternalLoginCallback 操作。
Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.
最后在 ExternalLoginCallback 行动,我检查传入索赔,以确定登录是通过Azure的AD,而不是调用成ASP.NET身份,我构造出我的应用程序识别为一个管理员用户自己的 ClaimsIdentity ,里面有我所有的(专用)索赔信息。
Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.
现在,管理员用户导航到 https://example.com/admin ,点击登录按钮,会被重定向到Azure的AD登录和饱和回到了应用程序作为管理员用户。
Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.
这篇关于支持个人用户帐户和机构帐户中MVC5 / ASP.Net身份2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
