Sma*_*EGA 3 .net c# authentication azure-active-directory openid-connect
我正在Dotnet核心Web应用程序中使用Azure AD登录,应该会触发OnAuthorizationCodeReceived事件,但未触发。
您能对此提供一些说明吗?
public void Configure(string name, OpenIdConnectOptions options)
{
JsonFileConfigurationService config = new JsonFileConfigurationService();
options.ClientId = config.AzureAdClientId;
options.Authority = $"{config.AzureAdInstance}{config.AzureAdTenantId}";
options.UseTokenLifetime = true;
options.CallbackPath = config.AzureAdCallbackPath;
options.RequireHttpsMetadata = false;
var allScopes = $"{_azureOptions.Scopes} {_azureOptions.GraphScopes}".Split(new[] { ' ' });
foreach (var scope in allScopes) { options.Scope.Add(scope); }
options.TokenValidationParameters = new TokenValidationParameters
{
// Instead of using the default validation (validating against a single issuer value, as we do in line of business apps),
// we inject our own multitenant validation logic
ValidateIssuer = false,
// If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
//IssuerValidator = (issuer, securityToken, validationParameters) => {
// if (myIssuerValidationLogic(issuer)) return issuer;
//}
};
options.Events = new OpenIdConnectEvents
{
OnTicketReceived = context =>
{
// If your authentication logic is based on users then add your logic here
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
context.Response.Redirect("/Home/Error");
context.HandleResponse(); // Suppress the exception
return Task.CompletedTask;
},
OnAuthorizationCodeReceived = async (context) =>
{
var code = context.ProtocolMessage.Code;
var identifier = context.Principal.FindFirst(config.AzureAdObjectIdentifierType).Value;
var memoryCache = context.HttpContext.RequestServices.GetRequiredService<IMemoryCache>();
var graphScopes = _azureOptions.GraphScopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
var cca = new ConfidentialClientApplication(
_azureOptions.ClientId,
_azureOptions.BaseUrl + _azureOptions.CallbackPath,
new ClientCredential(_azureOptions.ClientSecret),
new SessionTokenCache(identifier, memoryCache).GetCacheInstance(),
null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, graphScopes);
// Check whether the login is from the MSA tenant.
// The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account.
var currentTenantId = context.Principal.FindFirst(config.AzureAdTenantId).Value;
if (currentTenantId == "9188040d-6c67-4c5b-b112-36a304b66dad")
{
// MSA (Microsoft Account) is used to log in
}
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
},
// If your application needs to do authenticate single users, add your user validation below.
//OnTokenValidated = context =>
//{
// return myUserValidationLogic(context.Ticket.Principal);
//}
};
}
小智 5
您应该使用混合模式,并将响应类型设置为“代码id_token”,默认情况下为“ id_token”:
options.ResponseType = OpenIdConnectResponseType.CodeIdToken
我也遇到过类似的问题,事件似乎没有被调用。不幸的是没有看到更多代码。我认为您提供的方法位于实现IConfigureNamedOptions<OpenIdConnectOptions>.
我猜您还通过断点或日志记录证明了该方法确实被调用。
另一件要尝试的事情是停止OpenIdConnectEvents向options.Events(ie options.Events = new OpenIdConnectEvents) 分配新实例。的构造函数OpenIdConnectOptions为该属性分配一个值Events,因此通过为该属性重新分配一个新实例,您可以丢弃其他配置代码可能添加的任何事件挂钩。我在网上找到的很多示例代码确实像您一样分配了一个新实例,但它似乎可能会给我带来问题。或者将您的事件代码添加到现有实例,例如
options.Events.OnAuthorizationCodeReceived = async (context) =>
{
var code = context.ProtocolMessage.Code;
var identifier = context.Principal.FindFirst(config.AzureAdObjectIdentifierType).Value;
var memoryCache = context.HttpContext.RequestServices.GetRequiredService<IMemoryCache>();
var graphScopes = _azureOptions.GraphScopes.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
var cca = new ConfidentialClientApplication(
_azureOptions.ClientId,
_azureOptions.BaseUrl + _azureOptions.CallbackPath,
new ClientCredential(_azureOptions.ClientSecret),
new SessionTokenCache(identifier, memoryCache).GetCacheInstance(),
null);
var result = await cca.AcquireTokenByAuthorizationCodeAsync(code, graphScopes);
// Check whether the login is from the MSA tenant.
// The sample uses this attribute to disable UI buttons for unsupported operations when the user is logged in with an MSA account.
var currentTenantId = context.Principal.FindFirst(config.AzureAdTenantId).Value;
if (currentTenantId == "9188040d-6c67-4c5b-b112-36a304b66dad")
{
// MSA (Microsoft Account) is used to log in
}
context.HandleCodeRedemption(result.AccessToken, result.IdToken);
}
当然,这仍然意味着您可能会覆盖其他一些处理程序(即options.Events.OnAuthorizationCodeReceived可能已经有一个处理程序)。所以你可以先捕获它并等待结果,例如
var existingHandler = options.Events.OnAuthorizationCodeReceived;
options.Events.OnAuthorizationCodeReceived = async (context) =>
{
await existingHandler(context);
// Your code here...
}
最后,如果您在方法中使用该AzureAdAuthenticationBuilderExtensions.AddAzureAd方法Startup.ConfigureServices,请检查该ConfigureAzureOptions.Configure方法是否没有OpenIdConnectEvents按照上述讨论分配新值。