结合ADAL.Net和ADAL.js [英] Combining ADAL.Net and ADAL.js
问题描述
我有一个是用网络形式编写的遗留应用程序。在这个项目中,我们开始将一些在web表单到SPA,angular.js和的WebAPI的。 SPA的页面使用了的WebAPI直接通信。我们的想法是,最终,所有的web表单的将被转换为新的技术
有关SPA的网页,我已经实现adal.js并为web表单我使用ADAL.net。两者都明显使用Azure的Active Directory中。然而,他们似乎没有使用相同的承载的道理,因为单点登录不工作。从表单页面移动到页面的SPA需要另一个登录。
我如何获得单点登录到项目中正常工作?
我的code是如下:
公共无效ConfigureAuth(IAppBuilder应用程序)
{
JwtSecurityTokenHandler.InboundClaimTypeMap =新词典<字符串,字符串>(); app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(新CookieAuthenticationOptions());app.UseOpenIdConnectAuthentication(
新OpenIdConnectAuthenticationOptions
{
客户端Id =XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
管理局=https://login.microsoftonline.com/XXXXX.onmicrosoft.com
PostLogoutRedirectUri =https://开头XXXX:4432 / GBL / Home.aspx
通知=新OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed =背景=>
{
context.HandleResponse();
context.Response.Redirect(?/错误消息=+ context.Exception.Message);
返回Task.FromResult(0);
},
SecurityTokenValidated =异步N =>
{
VAR uniqueName = n.AuthenticationTicket.Identity.FindFirst(UNIQUE_NAME).value的;
VAR的userName = getUserNameFromUniqueName(uniqueName); VAR索赔= getRoleClaims(n.AuthenticationTicket.Identity).ToList2();
claims.Add(新索赔(UNIQUE_NAMEuniqueName));
claims.Add(新索赔(ClaimTypes.Name,用户名));
claims.Add(新索赔(ClaimTypes.UserData,)); VAR profileClaims =新ClaimsTransformer().GetTake2ProfileClaims(用户名);
claims.AddRange(profileClaims); VAR newIdentity =新ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType,GIVEN_NAME,角色);
newIdentity.AddClaims(索赔); n.AuthenticationTicket =新AuthenticationTicket(newIdentity,n.AuthenticationTicket.Properties);
},
}
});
}
ADAL JS和连接的OpenID中间件是不是真的设计为一起工作 - 事实上,你的应用程序在web表单实施或MVC并没有真正做一个区别,问题是ADAL JS希望通过OAuth2用户承载令牌保护后端调用的Web API进行交互,而连接的OpenID通过预计饼干确保充分回发。有关两种不同方法的背景资料,请参阅的http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/.我认为你必须决定是否要移动到SPA的基础设施,在这种情况下,你可以使用ADAL JS和中间件的OAuth2但web表单会有点尴尬(但仍可能),或者如果你想坚持基于回发的设计和使用的OpenID连接。
I have a legacy application that was written using web forms. In this project we started to convert some of the webforms to SPA, angular.js, and WebAPI. The SPA pages communicate directly with the WebAPI. The idea is that eventually, all of the webforms will be converted to the new technology.
For the SPA pages, I've implemented adal.js and for the webforms I'm using ADAL.net. Both are obviously using Azure Active Directory. However, they don't seem to be using the same bearer token, because Single Sign-on is not working. Moving from a webform page to a SPA page requires another login.
How do I get the Single Sign On to work correctly in the project?
My code is below:
public void ConfigureAuth( IAppBuilder app )
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>( );
app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType );
app.UseCookieAuthentication( new CookieAuthenticationOptions( ) );
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
Authority = "https://login.microsoftonline.com/XXXXX.onmicrosoft.com",
PostLogoutRedirectUri = "https://XXXX:4432/gbl/Home.aspx",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse( );
context.Response.Redirect( "/Error?message=" + context.Exception.Message );
return Task.FromResult( 0 );
},
SecurityTokenValidated = async n =>
{
var uniqueName = n.AuthenticationTicket.Identity.FindFirst( "unique_name" ).Value;
var userName = getUserNameFromUniqueName( uniqueName );
var claims = getRoleClaims( n.AuthenticationTicket.Identity ).ToList2( );
claims.Add( new Claim( "unique_name", uniqueName ) );
claims.Add( new Claim( ClaimTypes.Name, userName ) );
claims.Add( new Claim( ClaimTypes.UserData, "" ) );
var profileClaims = new ClaimsTransformer( ).GetTake2ProfileClaims( userName );
claims.AddRange( profileClaims );
var newIdentity = new ClaimsIdentity( n.AuthenticationTicket.Identity.AuthenticationType, "given_name", "roles" );
newIdentity.AddClaims( claims );
n.AuthenticationTicket = new AuthenticationTicket( newIdentity, n.AuthenticationTicket.Properties );
},
}
} );
}
ADAL JS and the OpenId Connect middleware aren't really designed to work together - the fact that your app is implemented in webforms or MVC doesn't really make a difference, the issue is that ADAL JS expects to interact with the backend calling Web API secured via OAuth2 bearer tokens, while OpenId Connect expects to secure full postbacks via cookies. For a backgrounder on the two different approaches, see http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/. I think you'll have to decide whether you want to move to a SPA infrastructure, in which case you can use ADAL JS and the OAuth2 middleware but webforms will be a bit awkward (but still possible), or if you want to stick with a postback based design and use OpenId Connect.
这篇关于结合ADAL.Net和ADAL.js的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
