我正在开发一个使用WsFederation对ADFS 3.0进行身份验证的.Net Core 2.2 Razor Page应用程序。这正在工作,并且用户已通过身份验证,我可以检索用户的声明。
我还可以通过带有ADFS 3.0的授权代码流来检索刷新承载令牌。这个短暂的刷新令牌将用于访问内部WebAPI。我正在尝试添加一个新的用户声明,该声明就是该“刷新载体令牌”。由于某种原因,我更新了声明列表(我看到它是使用QuickWatch添加的),并在另一个页面中访问该声明列表后,新声明不再可用,该列表会重置为初始身份验证后的状态。
我正在重用在.Net MVC5中执行此操作时所用的相同代码。现在,我读到它在某些情况下可能需要用户重新登录。但是,当我在.Net MVC5中执行此操作时,不必重新登录。我有点困惑,因为我不确定这是.Net Core问题还是整个MVC 5项目在整个过程中都做错了。
我调查了通过HttpContextaccessor访问User的情况,并注入了它以更新声明列表,但未产生任何新结果。
public class RefreshTokenmodel : PageModel
{
private readonly IConfiguration _config;
private readonly IHttpContextaccessor _httpContextaccessor;
public RefreshTokenmodel(IConfiguration config,IHttpContextaccessor httpContextaccessor)
{
_config = config;
_httpContextaccessor = httpContextaccessor;
}
public async Task<actionResult> OnGetasync()
{
//var curIdentity = (ClaimsIdentity)User.Identity;
var curIdentity = (ClaimsIdentity)_httpContextaccessor.HttpContext.User.Identity;
bool needToken = false;
AuthenticationContext authenticationContext = new AuthenticationContext(_config.Getvalue<string>("ADFSIdentitysettings:ADFSAuthority"),false);
try
{
ClientCredential cc = new ClientCredential(_config.Getvalue<string>("ADFSIdentitysettings:oAuthClient"),_config.Getvalue<string>("ADFSIdentitysettings:oAuthClientSecret"));
AuthenticationResult _authResult = await authenticationContext.AcquireTokenSilentAsync(_config.Getvalue<string>("ADFSIdentitysettings:ADFSResourceIdentifier"),_config.Getvalue<string>("ADFSIdentitysettings:oAuthClient"));
if (!string.IsnullOrEmpty(_authResult.accessToken) && !string.IsnullOrEmpty(_authResult.accessTokenType))
{
//curIdentity = (ClaimsIdentity)User.Identity;
curIdentity = (ClaimsIdentity)_httpContextaccessor.HttpContext.User.Identity;
var bearerToken = curIdentity.Claims.Where(x => x.Type == "BearerToken").SingleOrDefault();
if (bearerToken != null)
{
curIdentity.TryRemoveclaim(bearerToken);
}
curIdentity.AddClaim(new Claim("BearerToken",_authResult.CreateAuthorizationHeader()));
}
needToken = false;
}
catch (AdalException adalEx)
{
needToken = true;
}
if (needToken)
{
var authorizationURL = await authenticationContext.GetauthorizationRequestUrlAsync(_config.Getvalue<string>("ADFSIdentitysettings:ADFSResourceIdentifier"),_config.Getvalue<string>("ADFSIdentitysettings:oAuthClient"),new Uri(_config.Getvalue<string>("ADFSIdentitysettings:ADFSRedirecturi")),new UserIdentifier(User.Identity.Name,UserIdentifierType.UniqueId),"");
return new RedirectResult(authorizationURL.AbsoluteUri);
}
return new PageResult();
}
}
我的Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
}).AddWsFederation(options =>
{
options.Wtrealm = "http://applicationname/razor";
options.MetadataAddress = "urltofederationmetadata.xml";
})
.AddCookie();
services.AddAuthorization();
services.AddMvc()
.AddRazorPagesOptions(options =>
{
// options.Conventions.AuthorizeFolder("/Areas/Pages/Settings"); //set authorization on just a single folder
options.Conventions.AuthorizeFolder("/"); //- set authorization on all folders and pages
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
services.AddHttpContextaccessor();
}