问题描述
Azure Active Directory成功验证Web应用程序后,我需要向令牌添加自定义声明。
After a webapp is successfully authenticated by Azure Active Directory, I need to add custom claims to the token.
本质上,我想在我的一个控制器中执行此操作:
Essentially I want to do this in one of my controllers:
if (ExistsUserInDb(User.Identity.Name))
{
User.Identity.AddClaim("superUser", "true");
}
这样,当该用户执行某些superPrivilege任务时,我就可以继续重复使用同一令牌
So that I can keep on reusing the same token when that user does some superPrivilege action on other controllers.
这可能吗?
我尝试了这些链接,但没有为我工作:
I've tried these links but they didn't work for me:How to extend available properties of User.IdentityHow to add claims in ASP.NET Identity
推荐答案
根据我的理解,您的MVC应用程序配置为使用ASP.NET Identity进行用户身份验证,并且也可以使用软件包,用于支持AAD JWT承载令牌认证,如下所示:
Based on my understanding, your MVC application is configured to use ASP.NET Identity for user authentication and you also use the Microsoft.Owin.Security.ActiveDirectory package for supporting AAD JWT bearer token authentication as follows:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = "{AAD-client-ID}"
},
Tenant = "{tenantID}"
});
此时,上述中间件将解码令牌并创建 ClaimsIdentity
用于包装来自传入JWT令牌的声明。根据我的理解,您无法在控制器下修改传入令牌,但是可以在中间件设置下按以下方式进行处理:
At this point, the above middle-ware would decode the token and create a ClaimsIdentity
for wrapping the claims from the incoming JWT token. Per my understanding, you could not modify the incoming token under your controller, but you could handle this under the middle-ware settings as follows:
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = "{AAD-client-ID}"
},
Tenant = "{tenantID}",
Provider = new OAuthBearerAuthenticationProvider()
{
OnValidateIdentity = (context) =>
{
//check context.Ticket.Identity.Name
//add your additional claims here
context.Ticket.Identity.AddClaim(new Claim("test02", "test02"));
return Task.FromResult(0);
}
}
});
此外,我会使用中间件将OpenIdConnect用于AAD身份验证,如下所示:
Moreover, I would use Microsoft.Owin.Security.OpenIdConnect middleware to use OpenIdConnect for AAD authentication as follows:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = Authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = async (x) =>
{
var identity = x.AuthenticationTicket.Identity;
//check the name, add additional claims
identity.AddClaim(new Claim("test", "test"));
await Task.FromResult(0);
}
}
});
或者您也可以尝试在控制器中添加声明,如下所示:
Or you could try to add the claims in your controller as follows:
var identity= User.Identity as ClaimsIdentity;
identity.AddClaim(new Claim("test1", "test1"));
HttpContext.GetOwinContext().Authentication.SignIn(identity);
详细信息,您可以关注使用OpenID Connect将Azure AD集成到Web应用程序中。
Details, you could follow Integrate Azure AD into a web application using OpenID Connect.
这篇关于asp.net身份:身份验证后,将自定义用户声明添加到AAD提供的令牌中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!