更新时间:2023-02-24 22:54:41
我设法通过做来实现这个如下:
I managed to implement this by doing the following:
第一,加入到 Microsoft.Owin.Security.OpenIdConnect
的NuGet包的参考。
First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect
Nuget package.
二,在配置它在我的 Startup.Auth.cs
:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "From the Azure Portal (see below)",
Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (ctx) =>
{
if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
{
string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
}
else
{
ctx.State = NotificationResultState.Skipped;
ctx.HandleResponse();
}
return Task.FromResult(0);
}
},
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
Caption = "SomeNameHere"
}
});
第三,我设置了Azure的门户网站(经典)申请:
Third, I setup the application in the Azure Portal (classic):
第四,我增加了一个单独的登录页面管理员用户:
Fourth, I added a separate logon page for admin users:
@using (Html.BeginForm("ExternalLogin", "Home"))
{
@Html.AntiForgeryToken()
<div class="ui basic segment">
<div class="ui list">
<div class="item">
<button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
<i class="windows icon"></i>
<span>My Org Name</span>
</button>
</div>
</div>
</div>
}
第五的 ExternalLogin
操作并不需要改变 - 我们只是让OWIN中间件重定向我们到外部登录页面。然后,流程将引导用户回到 ExternalLoginCallback
操作。
Fifth, the ExternalLogin
action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback
action.
最后在 ExternalLoginCallback
行动,我检查传入索赔,以确定登录是通过Azure的AD,而不是调用成ASP.NET身份,我构造出我的应用程序识别为一个管理员用户自己的 ClaimsIdentity
,里面有我所有的(专用)索赔信息。
Finally, in the ExternalLoginCallback
action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity
, which has all my (application specific) claim information which my application recognises as an admin user.
现在,管理员用户导航到 https://example.com/admin
,点击登录按钮,会被重定向到Azure的AD登录和饱和回到了应用程序作为管理员用户。
Now, admin users navigate to https://example.com/admin
, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.