我有一个asp.net web应用程序(.net Framework 4.8(,它在此时具有用于身份验证的ADFS。现在我正在使用授权代码流和OIDC协议将ADFS身份验证迁移到Azure AD。
我在OIDC中间件中添加了一个SecurityTokenValidated通知,我正在尝试执行验证并添加自定义声明的代码,代码如下:
SecurityTokenValidated = notification =>
{
AddUserClaimsToPrincipal(notification.AuthenticationTicket.Identity);
return Task.FromResult(0);
}
private void AddUserClaimsToPrincipal(ClaimsIdentity identity)
{
string nameClaimValue = string.Empty; // Get Alias
string emailClaimValue = string.Empty; // Get Email
string displayClaimNameValue = string.Empty; // Get Display Name
IPrincipal principal;
Claim displayNameClaim = identity.FindFirst(t => t.Type == CLAIM_DISPLAYNAME);
Claim emailClaim = identity.FindFirst(t => t.Type == CLAIM_EMAIL);
if (displayNameClaim != null)
{
displayClaimNameValue = displayNameClaim.Value;
}
if (emailClaim != null)
{
emailClaimValue = emailClaim.Value;
}
nameClaimValue = emailClaimValue;
List<string> roles;
bool userExists = ValidateUser(nameClaimValue, out roles);
identity.AddClaim(new Claim("SampleApp_UserAuthorized", userExists.ToString()));
if (identity.FindFirst(t => t.Type == CLAIM_Role) == null)
{
foreach (var role in roles)
{
identity.AddClaim(new Claim(CLAIM_Role, role));
}
}
}
现在,我正在尝试使用以下事件验证Global.asax文件中的用户授权:Application_PostAuthenticateRequest
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if (Thread.CurrentPrincipal.Identity.IsAuthenticated && Thread.CurrentPrincipal is ClaimsIdentity)
{
// Code to fetch the claims
// If the incoming claim contains the custom claim : SampleApp_UserAuthorized then send the user to
// unaurhorized.html page
}
}
在上面的代码中,我看到了Thread。CurrentPrincipal。身份IsAuthenticated返回true,但另一方面返回Thread。CurrentPrincipal是ClaimsIdentity返回false。
我想获取自定义声明:Application_PostAuthenticateRequest中的SampleApp_UserAuthorized以将用户发送到未授权的.html页面
有人能帮我提供一些代码示例来解决这个问题吗。
我已经用以下代码修复了这个问题,现在它对我来说很好:
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if (!User.Identity.IsAuthenticated)
{
//this.Context.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, WsFederationAuthenticationDefaults.AuthenticationType);
this.Context.GetOwinContext().Authentication.Challenge(new AuthenticationProperties{RedirectUri = "/"}, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
if (Thread.CurrentPrincipal.Identity.IsAuthenticated && Thread.CurrentPrincipal is System.Security.Claims.ClaimsPrincipal)
{
if (!Convert.ToBoolean(((System.Security.Claims.ClaimsPrincipal)Thread.CurrentPrincipal).FindFirst(c => c.Type == "SampleApp_UserAuthorized").Value))
{
//Avoid Redirection for static files (used in Access denied page)
List<string> staticcontentpaths = new List<string>{".css", ".js", ".png", ".gif", ".jpg", ".jpeg", ".ico", ".svg", ".woff", ".ttf"};
string extension = Path.GetExtension(HttpContext.Current.Request.PhysicalPath).ToLower();
if (!staticcontentpaths.Contains(extension))
{
Server.Execute("~/errors/auth.html");
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
}
}
}