问题描述

我正在将Web窗体应用程序从窗体身份验证迁移到OpenID Connect(使用OWIN和IdentityServer3).该应用程序在web.config中已经有很多授权"元素(用于各个位置)，在迁移到OWIN之后我想重用.

I'm migrating a Web Forms application from Forms Authentication to OpenID Connect (using OWIN and IdentityServer3).The application already has a lot of 'authorization' elements (for various locations) in the web.config which I would like to reuse after migrating to OWIN.

<authorization>
   <deny users="?" />
</authorization>
<location path="Path/Page.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>
...

问题在于，在我切换到OWIN而不是重定向到登录页面后，我得到了401(未授权).

The problem is that after I switch to OWIN instead of being redirected to the login page and I get a 401 (unauthorized).

目前，将用户重定向到登录页面的唯一方法是在Page_Load事件中手动进行挑战:

At the moment the only way to redirect the user to the login page is to manually make a challenge in the Page_Load event:

if (!Request.IsAuthenticated)
{
   HttpContext.Current.GetOwinContext().Authentication.Challenge();
}

这是我的Startup.Auth的样子:

This is how my Startup.Auth looks like:

public void ConfigureAuth(IAppBuilder app)
        {
            //reset the mapping dictionary to ensure the claims are not mapped to .NET standard claims
            JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ApplicationCookie",
                AuthenticationMode = AuthenticationMode.Active
            });

            app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = "id",
                Authority = IdentityConstants.BaseAddress,
                RedirectUri = "uri",
                ResponseType = "code id_token token",
                SignInAsAuthenticationType = "ApplicationCookie",
                Scope = "openid profile email roles offline_access",
                ...
            }
...

是否可以利用Web配置中的现有授权元素，这样我就不必在代码中再次进行这些检查了?

Is there a way to leverage the existing authorization elements in web config so that I don't have to make these checks again in the code?

推荐答案

在app.UseOpenIdConnectAuthentication之后添加以下代码:

Add following code after app.UseOpenIdConnectAuthentication:

app.UseStageMarker(PipelineStage.Authenticate);

这将指示Owin在集成管道中运行.

This will instruct Owin to run in the integrated pipeline.

这篇关于使用web.config授权元素时未触发OWIN质询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！