分享程序员开发的那些事...
更新时间:2022-03-21 23:13:05
我设法通过执行以下操作来实现:
I managed to implement this by doing the following:
首先,添加对 Microsoft.Owin.Security.OpenIdConnect Nuget 包的引用.
First, adding a reference to the Microsoft.Owin.Security.OpenIdConnect Nuget package.
第二,在我的Startup.Auth.cs中配置:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "From the Azure Portal (see below)",
Authority = "https://login.windows.net/<domain>.onmicrosoft.com",
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = (ctx) =>
{
if (ctx.Request.Path.Value.EndsWith("ExternalLogin"))
{
string appBasePathUrl = ctx.Request.Scheme + "://" + ctx.Request.Host + ctx.Request.PathBase;
ctx.ProtocolMessage.RedirectUri = appBasePathUrl + "/";
ctx.ProtocolMessage.PostLogoutRedirectUri = appBasePathUrl;
}
else
{
ctx.State = NotificationResultState.Skipped;
ctx.HandleResponse();
}
return Task.FromResult(0);
}
},
Description = new AuthenticationDescription
{
AuthenticationType = "OpenIdConnect",
Caption = "SomeNameHere"
}
});
第三,我在 Azure 门户(经典)中设置应用程序:
Third, I setup the application in the Azure Portal (classic):
第四,我为管理员用户添加了一个单独的登录页面:
Fourth, I added a separate logon page for admin users:
@using (Html.BeginForm("ExternalLogin", "Home"))
{
@Html.AntiForgeryToken()
<div class="ui basic segment">
<div class="ui list">
<div class="item">
<button type="submit" name="provider" value="OpenIdConnect" class="left floated huge ui button social">
<i class="windows icon"></i>
<span>My Org Name</span>
</button>
</div>
</div>
</div>
}
第五,ExternalLogin动作不需要改变——我们只是让OWIN中间件将我们重定向到外部登录页面.然后,流程会将用户引导回 ExternalLoginCallback 操作.
Fifth, the ExternalLogin action doesn't need to change - we just let OWIN middleware redirect us to the external login page. The flow would then direct the user back to the ExternalLoginCallback action.
最后,在 ExternalLoginCallback 操作中,我检查传入的声明以确定登录是通过 Azure AD 进行的,而不是调用 ASP.NET Identity,我构建我自己的 ClaimsIdentity,其中包含我的所有(特定于应用程序的)声明信息,我的应用程序将其识别为管理员用户.
Finally, in the ExternalLoginCallback action, I check the incoming claims to determine that the login was via Azure AD, and instead of calling into ASP.NET Identity, I construct my own ClaimsIdentity, which has all my (application specific) claim information which my application recognises as an admin user.
现在,管理员用户导航到 https://example.com/admin,单击登录按钮,重定向到 Azure AD 登录,然后以管理员用户身份返回应用程序.
Now, admin users navigate to https://example.com/admin, click the login button, are redirected to the Azure AD login, and windup back at the application as an admin user.