C# 使用Azure SSO实现而不使用标识时,用户被重定向到登录页面太早
我有一个ASP.NET MVC Core 2.2应用程序,它实现了Azure SSO身份验证。Azure SSO是使用快速入门教程为Azure门户中可访问的已注册应用程序设置的。此外,我还通过从数据库手动查询角色列表并在用户登录过程中将声明添加到C# 使用Azure SSO实现而不使用标识时,用户被重定向到登录页面太早,c#,asp.net-mvc,azure,asp.net-core,authentication,C#,Asp.net Mvc,Azure,Asp.net Core,Authentication,我有一个ASP.NET MVC Core 2.2应用程序,它实现了Azure SSO身份验证。Azure SSO是使用快速入门教程为Azure门户中可访问的已注册应用程序设置的。此外,我还通过从数据库手动查询角色列表并在用户登录过程中将声明添加到Principal.Identity来实现授权。我还需要一个自定义的Authorize属性,因为我很难在AJAX调用的控制器操作上使用它 我的团队遇到的一个问题是提前重定向到登录页面。当HttpContext.User.Identity.IsAuthen
Principal.IdentityAuthorizeHttpContext.User.Identity.IsAuthenticatedCustomAuthorizeHttpContext.User.Identity.IsAuthenticatedfalsesecurityStampAddIdentity()securityStamp// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection Services)
{
//https://weblog.west-wind.com/posts/2017/dec/12/easy-configuration-binding-in-aspnet-core-revisited
IAppSettings config = new AppSettings();
Configuration.Bind("AppSettings", config);
Services.AddMvc();
Services.AddSingleton(config);
Services.AddScoped<IUserAccess, UserAccess>();
//..more services..
Services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
Services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
.AddAzureAD(options =>
{
options.Instance = config.AzureAD.Instance;
options.Domain = config.AzureAD.Domain;
options.TenantId = config.AzureAD.TenantId;
options.ClientId = config.AzureAD.ClientId;
options.CallbackPath = config.AzureAD.CallbackPath;
});
Services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.UseTokenLifetime = false;
options.Authority = options.Authority + "/v2.0/"; //Microsoft identity platform
options.TokenValidationParameters.ValidateIssuer = true;
options.TokenValidationParameters.ValidIssuers = config.AzureAD.Organizations;
//Code below is to add claims during login (we add roles from db): https://stackoverflow.com/questions/51965665/adding-custom-claims-to-claimsprincipal-when-using-addazureadb2c-in-mvc-core-app
//some discussion about this here: https://stackoverflow.com/questions/59564952/net-core-add-claim-after-azuerad-authentication
//and here: https://stackoverflow.com/questions/52727146/net-core-2-openid-connect-authentication-and-multiple-identities
options.Events.OnTicketReceived = context =>
{
string ObjectID = context.Principal.FindFirst(CustomClaimTypes.ObjectIdentifier).Value;
//I get an instance of UserAccess service so I can get user ID, termination status, roles.
IUserAccess userAccess = context.HttpContext.RequestServices.GetService<IUserAccess>();
int userID = userAccess.GetUserIDByObjectID(ObjectID, config.ConnectionString);
//if UserID is 0 (wasn't found in Users table), then that means user is not activated or not in Users table. So
//we don't try to get their roles because we can't.
ClaimsIdentity claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
if (userID == 0)
{
//this claim is checked in CustomAuthorize authorize filter
claimsIdentity.AddClaim(new Claim(CustomClaimTypes.UserNotFound, true.ToString()));
return Task.CompletedTask;
}
claimsIdentity.AddClaim(new Claim(CustomClaimTypes.UserID, userID.ToString()));
bool terminated = userAccess.IsUserTerminatedByUserID(userID, config.ConnectionString);
if (terminated == false)
{
List<string> roles = userAccess.GetUserRoleNamesByUserID(userID, config.ConnectionString);
foreach (var role in roles)
{
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role));
}
}
//In the region below, we sign in user manually instead of allowing the RemoteAuthenticationHandler
//complete the sign in. We do this because the 'OnTicketReceived' event runs right before the user
//is signed into the application and we want to make sure that there is no error when we sign
//in the user before we log a message that they have signed in.
//Explanation of what's happening here: https://www.jerriepelser.com/blog/managing-session-lifetime-aspnet-core-oauth-providers/
#region User sign-in code
// Sign the user in ourselves
context.HttpContext.SignInAsync(context.Options.SignInScheme, context.Principal, context.Properties);
// Indicate that we handled the sign in
context.HandleResponse();
// Default redirect path is the base path
if (string.IsNullOrEmpty(context.ReturnUri))
{
context.ReturnUri = "/";
}
context.Response.Redirect(context.ReturnUri);
#endregion User sign-in code
_logger.LogTrace("User {ObjectID} logged in", context.Principal.Identity.Name);
return Task.CompletedTask;
};
});
Services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.AccessDeniedPath = "/UserAccess/NotAuthorized";
options.LogoutPath = "/UserAccess/SignOut";
options.ExpireTimeSpan = TimeSpan.FromMinutes(120);
options.SlidingExpiration = true;
});
}
public class CustomAuthorize : AuthorizeAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
string signInUrl = "/UserAccess/Index";
if (context.HttpContext.User.Identity.IsAuthenticated)
{
if (context.HttpContext.User.HasClaim(CustomClaimTypes.UserNotFound, true.ToString()))
{
context.Result = new RedirectResult("/UserAccess/NotAuthorized");
}
}
else
{
if (context.HttpContext.Request.IsAjaxRequest())
{
context.HttpContext.Response.StatusCode = 401;
JsonResult jsonResult = new JsonResult(new { redirectUrl = signInUrl });
context.Result = jsonResult;
}
else
{
context.Result = new RedirectResult(signInUrl);
}
}
}
}