使用 Authentication.AzureAD.UI 库时实现 OpenIdConnectOptions 事件

问题描述

我一直在使用从示例创建的库，允许我使用 Azure Active Directory 对 .NET 核心 Web 应用程序进行身份验证，并利用各种 OpenIdConnectOptions 事件(例如 OnTokenValidated) 向主体添加某些声明，并将该数据添加到类似身份的数据库中，以便 API 可以根据其令牌对调用者进行基于策略的确定.

I have been using a library I created from samples allowing me to authenticate a .NET core web app with Azure Active Directory and to take advantage of the various OpenIdConnectOptions events (e.g. OnTokenValidated) to add certain claims to the principal as well as add that data to an identity-like database so that APIs can make policy-based determinations of the caller based on their token.

但我宁愿使用 Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet 包而不是我的自定义变体，我只是不确定如何访问和访问 OpenIdConnectOptions.

But I would just rather use the Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package than my customized variation, I am just not sure how to reach in and access the event on the OpenIdConnectOptions.

我不知道这是否无法完成，或者我只是没有足够的依赖注入处理来弄清楚如何做到这一点.

I don't know if it's not something that can be done, or I just haven't got enough of a handle on dependency injection to figure out how to do that.

或者我应该考虑在流程的不同部分添加声明等?

Or should I consider adding claims, etc. in a different part of the process?

public static AuthenticationBuilder AddAzureAD(
    this AuthenticationBuilder builder,
    string scheme,
    string openIdConnectScheme,
    string cookieScheme,
    string displayName,
    Action<AzureADOptions> configureOptions) {

    AddAdditionalMvcApplicationParts(builder.Services);
    builder.AddPolicyScheme(scheme, displayName, o => {
        o.ForwardDefault = cookieScheme;
        o.ForwardChallenge = openIdConnectScheme;
    });

    builder.Services.Configure(
        TryAddOpenIDCookieSchemeMappings(scheme, openIdConnectScheme, cookieScheme));

    builder.Services.TryAddSingleton<IConfigureOptions<AzureADOptions>, AzureADOptionsConfiguration>();

    // They put in their custom OpenIdConnect configuration, but I can't see how to get at the events.
    builder.Services.TryAddSingleton<IConfigureOptions<OpenIdConnectOptions>, OpenIdConnectOptionsConfiguration>();

    builder.Services.TryAddSingleton<IConfigureOptions<CookieAuthenticationOptions>, CookieOptionsConfiguration>();

    builder.Services.Configure(scheme, configureOptions);

    builder.AddOpenIdConnect(openIdConnectScheme, null, o => { });
    builder.AddCookie(cookieScheme, null, o => { });

    return builder;
}

推荐答案

我在这里聚会可能有点晚了，但我遇到了同样的问题，发现 AzureAD 身份验证中间件的文档很少.在此处为遇到相同问题的其他人添加解决方案.

I might be a little late to the party here, but I've come across the same issue and found that the AzureAD authentication middleware is very sparsely documented. Adding the solution here for others struggling with the same question.

正如您在问题的代码片段底部看到的那样，AzureAD 提供程序实际上依赖于 OpenIdConnect 和 Cookie 身份验证提供程序，而不是自行实现任何身份验证逻辑.

As you can see at the bottom of the code snippet in the question, the AzureAD provider actually relies on OpenIdConnect and Cookie auth providers under the hoods, and does not implement any authentication logic itself.

为此，添加了两个额外的身份验证方案，分别使用定义为 AzureADDefaults.OpenIdScheme 和 AzureADDefaults.CookieScheme 的名称.

To accomplish this, two additional authentication schemes are added, using the names defined as AzureADDefaults.OpenIdScheme and AzureADDefaults.CookieScheme, respectively.

(虽然使用 AddAzureAD(this Microsoft.AspNetCore.Authentication.AuthenticationBuilder builder, string scheme, string openIdConnectScheme, string cookieScheme, string displayName, ActionconfigureOptions) 重载).

这反过来又允许使用上面的方案名称配置有效的 OpenIdConnectOptions 和 CookieAuthenticationOptions，包括访问 OpenIdConnectEvents.

That, in turn, allows to configure the effective OpenIdConnectOptions and CookieAuthenticationOptions by using the scheme names from above, including access to OpenIdConnectEvents.

查看这个完整的例子:

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        {
            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProvider = async ctxt =>
                {
                    // Invoked before redirecting to the identity provider to authenticate. This can be used to set ProtocolMessage.State
                    // that will be persisted through the authentication process. The ProtocolMessage can also be used to add or customize
                    // parameters sent to the identity provider.
                    await Task.Yield();
                },
                OnMessageReceived = async ctxt =>
                {
                    // Invoked when a protocol message is first received.
                    await Task.Yield();
                },
                OnTicketReceived = async ctxt =>
                {
                    // Invoked after the remote ticket has been received.
                    // Can be used to modify the Principal before it is passed to the Cookie scheme for sign-in.
                    // This example removes all 'groups' claims from the Principal (assuming the AAD app has been configured
                    // with "groupMembershipClaims": "SecurityGroup"). Group memberships can be checked here and turned into
                    // roles, to be persisted in the cookie.
                    if (ctxt.Principal.Identity is ClaimsIdentity identity)
                    {
                        ctxt.Principal.FindAll(x => x.Type == "groups")
                            .ToList()
                            .ForEach(identity.RemoveClaim);
                    }                        
                    await Task.Yield();
                },
            };
        });

        services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
        {
            options.Events = new CookieAuthenticationEvents
            {
                // ...
            };
        });

这篇关于使用 Authentication.AzureAD.UI 库时实现 OpenIdConnectOptions 事件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！