我有一个Blazer Server应用程序,该应用程序现在使用来自本地ADFS服务器的身份验证。确定了用户之后,我现在需要加载他们的权限。我们不认为ADFS服务器可以通过声明提供此信息,因此想在数据库中进行配置,但是需要了解如何/何时获得此信息。关于与ADFS的关联,我的代码如下(最欢迎提出任何改进建议)
App.razor
<CascadingAuthenticationState>
<Router AppAssembly="@typeof(Program).Assembly">
<Found Context="routeData">
<AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
<NotAuthorized>
<h1>Sorry</h1>
<p>You're not authorized to reach this page.</p>
<p>You may need to log in as a different user.</p>
</NotAuthorized>
</AuthorizeRouteView>
</Found>
<NotFound>
<LayoutView Layout="@typeof(MainLayout)">
<h1>Sorry</h1>
<p>Sorry, there's nothing at this address.</p>
</LayoutView>
</NotFound>
</Router>
</CascadingAuthenticationState>
appsettings.Development.json
{
"DetailedErrors": "true",
"ConnectionStrings": {
"MyDB": "Data Source=x.x.x.x;Initial Catalog=xxxxx;user id=me;password=sshhh;Persist Security Info=False;"
},
"Ida": {
"ADFSMetadata": "https://adfs.ourServer.com/FederationMetadata/2007-06/FederationMetadata.xml",
"Wtrealm": "https://localhost:44323/"
}
}
Startup.cs(仅显示与安全相关的代码)
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.WsFederation;
public class Startup
{
public static void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
.....
app.UseAuthentication();
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "DENY");
var user = context.User;
if (user?.Identities.HasNoItems(identity => identity.IsAuthenticated) ?? true)
{
await context.ChallengeAsync(WsFederationDefaults.AuthenticationScheme).ConfigureAwait(false);
}
if (next != null)
{
await next().ConfigureAwait(false);
}
});
....
}
...
public void ConfigureServices(IServiceCollection services)
{
var wtrealm = this.Configuration.GetSection("Ida:Wtrealm").Value;
var metadataAddress = this.Configuration.GetSection("Ida:ADFSMetadata").Value;
services
.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
})
.AddWsFederation(options =>
{
options.Wtrealm = wtrealm ;
options.MetadataAddress = metadataAddress;
options.UseTokenLifetime = false;
})
.AddCookie();
....
}
}
关于以上代码有什么建议吗?当用户进入我们的网站(任何页面)时,他们会自动被推送到ADFS服务器进行身份验证。似乎还可以,但是阻止用户注销。...
因此,从ADFS中,我们获得了一些标识用户的声明,例如他们的UPN名称。我的想法是转到数据库并加载该用户具有的所有角色/权限/权限。
我有一个Blazer Server应用程序,该应用程序现在使用来自本地ADFS服务器的身份验证。确定了用户之后,我现在需要加载他们的权限。我们认为无法通过声明提供此信息...