使用核心身份OAuth2身份验证(和检索用户信息)最后MS样本使用此类代码:
options.Events = new OAuthEvents
{
// ...
OnCreatingTicket = async (OAuthCreatingTicketContext context) =>
{
var userInfo = // ..
context.RunClaimActions(userInfo);
}
}
MS称之为“行动声明”。
但是如何在控制器代码中访问这些操作声明?具体来说,如何在“核心标识2.1”中生成Razor页面用户外部登录OnGetCallbackAsync
// ExternalLogin.cshtml.cs
public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, string remoteError = null)
{
var claimsIdentity = User.Identity as ClaimsIdentity;
var claimsPrincipal = User.Identity as ClaimsPrincipal; // null
// claimsIdentity doesn't contains oauth target claims (since this new not registered yet user?)
// ..
var signInResult = await _signInManager.ExternalLoginSignInAsync(...);
if (signInResult.Succeeded)
{
}else // means yet not registered locally
{
// HOW TO ACCESS ACTION CLAIMS THERE?
// or how to get authentication token to get user info manually...
}
}
附: 除了答案:qazxsw poi应该与qazxsw poi一起使用
RunClaimActions
然后可以按常规用户声明访问userinfo字段。因此,“行动主张”不是“特殊类型的主张”,而只是“又一个ASP MVC魔术”。
另外不要忘记MapJsonKey
只有它,你才能得到令牌
serviceCollection.AddAuthentication().AddOAuth(options =>
{
// ...
// https://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimtypes_members.aspx
options.ClaimActions.MapJsonKey(ClaimTypes.Surname, "family_name");
options.ClaimActions.MapJsonKey(ClaimTypes.GivenName, "given_name");
options.ClaimActions.MapJsonKey("SalesforceOrganizationId", "organization_id");
并从其他连接的服务获得更多信息。
我在官方文档中看过这个例子。
参考options.SaveTokens = true;
首先,您必须在配置身份验证提供程序时映射所需的声明
文档示例使用了Google,用于映射用户数据键并创建声明
在提供程序的选项中,为外部提供程序的JSON用户数据中的每个键指定
var info = await _signInManager.GetExternalLoginInfoAsync(); var token = info.AuthenticationTokens ()[0];
,以便在登录时读取应用程序标识。
启动
Persist additional claims and tokens from external providers in ASP.NET Core
从那里你应该能够通过MapJsonKey
访问声明,services.AddAuthentication().AddGoogle(options => {
//....
options.ClaimActions.MapJsonKey(ClaimTypes.Gender, "gender");
//...map other claims/claim types
//...
}
具有代表与登录相关联的用户的ExternalLoginInfo.Principal
。
ExternalLogin.cshtml.cs
ClaimsPrincipal
查看代码中的注释并记下对//Executes when a previously registered user signs into the app.
public async Task<IActionResult> OnGetCallbackAsync(
string returnUrl = null, string remoteError = null) {
if (remoteError != null) {
ErrorMessage = $"Error from external provider: {remoteError}";
return RedirectToPage("./Login");
}
// Get the information about the user from the external login provider
var info = await _signInManager.GetExternalLoginInfoAsync();
if (info == null) {
return RedirectToPage("./Login");
}
// Sign in the user with this external login provider if the user
// already has a login
var result = await _signInManager.ExternalLoginSignInAsync(
info.LoginProvider, info.ProviderKey, isPersistent: false,
bypassTwoFactor : true);
if (result.Succeeded) {
// Store the access token and resign in so the token is included in
// in the cookie
var user = await _userManager.FindByLoginAsync(info.LoginProvider,
info.ProviderKey);
// What is the gender of this user if present
if (info.Principal.HasClaim(c => c.Type == ClaimTypes.Gender)) {
var gender = info.Principal.FindFirst(ClaimTypes.Gender);
//...use gender
}
var props = new AuthenticationProperties();
props.StoreTokens(info.AuthenticationTokens);
await _signInManager.SignInAsync(user, props, info.LoginProvider);
_logger.LogInformation(
"{Name} logged in with {LoginProvider} provider.",
info.Principal.Identity.Name, info.LoginProvider);
return LocalRedirect(Url.GetLocalUrl(returnUrl));
}
if (result.IsLockedOut) {
return RedirectToPage("./Lockout");
} else {
// If the user does not have an account, then ask the user to
// create an account
ReturnUrl = returnUrl;
LoginProvider = info.LoginProvider;
if (info.Principal.HasClaim(c => c.Type == ClaimTypes.Email)) {
Input = new InputModel {
Email = info.Principal.FindFirstValue(ClaimTypes.Email)
};
}
return Page();
}
}
的访问权限,该权限应包含在辞职后与当前用户关联的声明。