我对使用新的 ASP.Net OpenID Connect 框架同时在身份验证管道中添加新声明有疑问,如下面的代码所示。我不确定幕后到底发生了多少“魔法”。我认为我的大部分问题都围绕着对 OWIN 身份验证中间件而不是 OpenID Connect 了解太多。
Q1.我应该手动设置吗HttpContext.Current.User
and Thread.CurrentPrincipal
from OwinContext.Authentication.User
?
Q2。我希望能够像以前一样向声明添加对象类型System.IdentityModel.Claims.Claim
。新的System.Security.Claims.Claim
类只接受字符串值?
Q3。我需要使用新的吗SessionSecurityToken
我的包装纸ClaimsPrincipal
in System.Security.Claims.CurrentPrincipal
用于序列化到 cookie - 我正在使用app.UseCookieAuthentication(new CookieAuthenticationOptions());
但现在可以确定,这对于维持我在期间添加的任何其他声明而言到底有何作用?SecurityTokenValidated
event?
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
// retriever caller data from the incoming principal
var UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
var db = new SOSBIADPEntities();
var user = db.DomainUser.FirstOrDefault(b => (b.EntityName == UPN));
if (user == null)
{
// the caller was not a registered user - throw to block the authentication flow
throw new SecurityTokenValidationException();
}
var applicationUserIdentity = new ClaimsIdentity();
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Name, UPN, ""));
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Sid, user.ID.ToString(CultureInfo.InvariantCulture)));
var applications =
db.ApplicationUser
.Where(x => x.ApplicationChild != null && x.DomainUser.ID == user.ID)
.Select(x => x.ApplicationChild).OrderBy(x => x.SortOrder);
applications.ForEach(x =>
applicationUserIdentity.AddClaim(new Claim(ClaimTypes.System, x.ID.ToString(CultureInfo.InvariantCulture))));
context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);
var hasOutlook = context.OwinContext.Authentication.User.HasClaim(ClaimTypes.System, "1");
hasOutlook = hasOutlook;
HttpContext.Current.User = context.OwinContext.Authentication.User;
Thread.CurrentPrincipal = context.OwinContext.Authentication.User;
var usr = HttpContext.Current.User;
var c = System.Security.Claims.ClaimsPrincipal.Current.Claims.Count();
return Task.FromResult(0);
},
}
}
);
}