c# - 如何从 ASP.Net OpenID Connect OWIN 组件中设置声明？

Question

在身份验证管道期间添加新声明时，我对使用新的 ASP.Net OpenID Connect 框架有疑问，如下面的代码所示。我不确定幕后到底发生了多少“魔法”。我认为我的大部分问题都围绕着对 OWIN 身份验证中间件了解不多，而不是 OpenID Connect。

Q1。我应该手动设置HttpContext.Current.User和Thread.CurrentPrincipalfromOwinContext.Authentication.User吗？

Q2。我希望能够像以前那样将对象类型添加到声明中System.IdentityModel.Claims.Claim。新System.Security.Claims.Claim类只接受字符串值？

Q3。我是否需要为我的 in使用新的SessionSecurityToken包装器来序列化为 cookie - 我正在使用但现在确定在维护我在事件期间添加的任何其他声明方面究竟做了什么？ClaimsPrincipalSystem.Security.Claims.CurrentPrincipalapp.UseCookieAuthentication(new CookieAuthenticationOptions());SecurityTokenValidated

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    SecurityTokenValidated = (context) =>
                    {
                        // retriever caller data from the incoming principal
                        var UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
                        var db = new SOSBIADPEntities();

                        var user = db.DomainUser.FirstOrDefault(b => (b.EntityName == UPN));

                        if (user == null)
                        {
                            // the caller was not a registered user - throw to block the authentication flow
                            throw new SecurityTokenValidationException();
                        }

                        var applicationUserIdentity = new ClaimsIdentity();
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Name, UPN, ""));
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Sid, user.ID.ToString(CultureInfo.InvariantCulture)));


                        var applications =
                            db.ApplicationUser
                            .Where(x => x.ApplicationChild != null && x.DomainUser.ID == user.ID)
                            .Select(x => x.ApplicationChild).OrderBy(x => x.SortOrder);

                        applications.ForEach(x =>
                            applicationUserIdentity.AddClaim(new Claim(ClaimTypes.System, x.ID.ToString(CultureInfo.InvariantCulture))));

                        context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);

                        var hasOutlook = context.OwinContext.Authentication.User.HasClaim(ClaimTypes.System, "1");

                        hasOutlook = hasOutlook;

                        HttpContext.Current.User = context.OwinContext.Authentication.User;
                        Thread.CurrentPrincipal = context.OwinContext.Authentication.User;

                        var usr = HttpContext.Current.User;

                        var c =  System.Security.Claims.ClaimsPrincipal.Current.Claims.Count();


                        return Task.FromResult(0);
                    },
                }
            }
        );
    }

score 18 · Accepted Answer

是否有特定原因要添加新的ClaimsIdentity?

完成您的目标的最简单方法是检索ClaimsIdentity通过验证传入令牌生成的令牌，ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;一旦您拥有它，只需向其添加声明即可。其余的中间件将负责在会话 cookie 中序列化它以及其他所有内容，将结果放在 currentClaimsPrincipal中，以及您似乎正在尝试手动执行的所有其他事情。
HTH
V。

score 0 · Accepted Answer

执行令牌验证时，您可以使用新身份登录：

private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n)
{
    var claimIdentity = new ClaimsIdentity(n.AuthenticationTicket.Identity);
    // Custom code...
    claimIdentity.Claims.Append(new Claim("TEST","1234"));
    n.OwinContext.Authentication.SignIn(claimIdentity);
    return Task.FromResult(0);
}

另一种选择直接进行分配，不适合我：

private Task OnSecurityTokenValidated(SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n)
{
    var claimsPrincipal = new ClaimsPrincipal(n.AuthenticationTicket.Identity);
    // Custom code...
    // TEST:
    n.OwinContext.Response.Context.Authentication.User = claimsPrincipal;
    n.OwinContext.Request.User = claimsPrincipal;
    n.OwinContext.Authentication.User = claimsPrincipal;
    return Task.FromResult(0);
}

c# - 如何从 ASP.Net OpenID Connect OWIN 组件中设置声明？

2 回答 2

Related

Reference