Asp.net mvc 5 HttpContext.Request.IsAuthenticated在Ajax请求中为false+；基于OpenID连接Cookie的验证

我们在asp.net mvc应用程序中使用基于OpenIdConnect的身份验证。初始登录工作正常。但当我们使用Ajax调用调用action方法时，用户被认为是未经身份验证的。我已签入自定义授权-

HttpContext.Request.IsAuthenticated

为false

我检查了cookie

“.AspNet.Cookies”

，它有值。为什么OpenID没有对用户进行身份验证

下面是我的身份验证码

app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = AuthenticationConfig.ClientId,
                Authority = AuthenticationConfig.AADInstance + AuthenticationConfig.TenantId,
                PostLogoutRedirectUri = AuthenticationConfig.PostLogoutRedirectURI,
                RedirectUri = AuthenticationConfig.RedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,
                ResponseType = OpenIdConnectResponseType.Code,
                SaveTokens = true,

                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(AuthenticationConfig.ClientSecret)),
                    ValidateIssuer = true,
                    ValidIssuer = AuthenticationConfig.AADInstance + AuthenticationConfig.TenantId + "/v2.0",
                },

                SignInAsAuthenticationType = "Cookies",

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    // when an auth code is received...
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    AuthenticationFailed = OnAuthenticationFailed,
                    SecurityTokenValidated = async n =>
       {
           var nid = new ClaimsIdentity(n.AuthenticationTicket.Identity);

           //var claimsIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity;
           var user = nid.Claims.Where(r => r.Type == PreferedUserNameClaimType).Select(v => v.Value).FirstOrDefault();

           var userRolesroles = GetRolesForUser(user);

           //nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));

           userRolesroles.ToList().ForEach(ui => nid.AddClaim(new Claim(ClaimTypes.Role, ui)));

           // keep the id_token for logout
           nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

           // add access token for sample API
           nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));

           n.AuthenticationTicket = new AuthenticationTicket(
              nid,
              n.AuthenticationTicket.Properties);

           UserService.SetUserInformation(user);

       },
                    RedirectToIdentityProvider = ctx =>
                    {
                        bool isAjaxRequest = (ctx.Request.Headers != null && ctx.Request.Headers["X-Requested-With"] == "XMLHttpRequest");

                        if (ctx.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                        {
                            if (isAjaxRequest && ctx.Response.StatusCode == (int)HttpStatusCode.Unauthorized)
                            {
                                ctx.Response.Headers.Remove("Set-Cookie");
                                ctx.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                                ctx.HandleResponse();
                                return Task.FromResult(0);
                            }
                        }
                        return Task.FromResult(0);

                    }
                }

            });


    }

---

通常在asp.net中，APIController对控制器的身份验证没有概念。根据构建方式的不同，您需要添加带有承载访问令牌的授权标头，以让API了解经过身份验证的用户。

它不是APIController，而是MVC控制器。我仍然需要实现承载令牌身份验证吗？