題記:在ASP.NET 5中雖然繼續(xù)可以沿用ASP.NET Identity來(lái)做驗(yàn)證授權(quán),不過(guò)也可以很容易集成支持標(biāo)準(zhǔn)協(xié)議的第三方服務(wù),比如Azure Active Directory。
其實(shí),在ASP.NET 5中集成AzureAD,利用其進(jìn)行驗(yàn)證和授權(quán),是非常簡(jiǎn)單的。因?yàn)椋菏紫華zure Active Directory提供了OAuth2.0、OpenId Connect 1.0、SAML和WS-Federation 1.2標(biāo)準(zhǔn)協(xié)議接口;其次微軟在ASP.NET 5中移植了集成OpenId Connect的OWIN中間件。所以,只要在ASP.NET 5項(xiàng)目中引用"Microsoft.AspNet.Authentication.OpenIdConnect"這個(gè)包,并正確配置AzureAD的連接信息,就可以很容易的進(jìn)行集成。
大致步驟如下:
1,在config.json文件中添加AzureAD的配置信息:
|
1
2
3
4
5
6
|
"AzureAd": { "ClientId": "[Enter the clientId of your application as obtained from portal, e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]", "Tenant": "[Enter the name of your tenant, e.g. contoso.onmicrosoft.com]", "AadInstance": "https://login.microsoftonline.com/{0}", // This is the public instance of Azure AD "PostLogoutRedirectUri": https://localhost:44322/} |
2,修改project.json,引入OpenIdConnect的中間件:
|
1
|
"Microsoft.AspNet.Authentication.OpenIdConnect": "1.0.0-*" |
3,在Startup中的ConfigureServices方法里面添加:
|
1
2
3
4
5
|
// OpenID Connect Authentication Requires Cookie Authservices.Configure<ExternalAuthenticationOptions>(options =>{ options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;}); |
4,在Startup中的Configure方法里面添加:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
// Configure the OWIN Pipeline to use Cookie Authenticationapp.UseCookieAuthentication(options => { // By default, all middleware are passive/not automatic. Making cookie middleware automatic so that it acts on all the messages. options.AutomaticAuthentication = true;});// Configure the OWIN Pipeline to use OpenId Connect Authenticationapp.UseOpenIdConnectAuthentication(options =>{ options.ClientId = Configuration.Get("AzureAd:ClientId"); options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant")); options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri"); options.Notifications = new OpenIdConnectAuthenticationNotifications { AuthenticationFailed = OnAuthenticationFailed, };}); |
5,Startup的OnAuthenticationFailed方法為:
|
1
2
3
4
5
6
|
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification){ notification.HandleResponse(); notification.Response.Redirect("/Home/Error?message=" + notification.Exception.Message); return Task.FromResult(0);} |
6,添加一個(gè)名為AccountController的Controller:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
public class AccountController : Controller{ // GET: /Account/Login [HttpGet] public IActionResult Login() { if (Context.User == null || !Context.User.Identity.IsAuthenticated) return new ChallengeResult(OpenIdConnectAuthenticationDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = "/" }); return RedirectToAction("Index", "Home"); } // GET: /Account/LogOff [HttpGet] public IActionResult LogOff() { if (Context.User.Identity.IsAuthenticated) { Context.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationScheme); Context.Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationScheme); } return RedirectToAction("Index", "Home"); }} |
以上代碼也可以到我Fork的完整示例項(xiàng)目中找到:https://github.com/heavenwing/WebApp-OpenIdConnect-AspNet5
【更新:2015-07-16】
如果你遇到添加了 [Authorize] ,但是不能自動(dòng)轉(zhuǎn)到登錄頁(yè)面的情況,那么需要:
|
1
2
3
|
app.UseOpenIdConnectAuthentication(options => { options.AutomaticAuthentication = true;}); |
具體見(jiàn):https://github.com/aspnet/Security/issues/357#issuecomment-120834369
以上所述就是本文的全部?jī)?nèi)容了,希望大家能夠喜歡。
