如果客户端指定,我需要将用户自动重定向到idp。我实质上是在AuthenticationController的Login方法中检查,如果设置了IDP,则将我重定向到该控制器上的另一个方法,该方法随后向IDP调用Challenge,这有点混乱,因为我真的想创建另一个控制器来处理外部身份验证,而不必与IDP检查/重定向混淆本地登录。
这让我开始思考,如果设置了idp,Identity Server 4是否可以自动重定向您?我已将客户端的EnableLocalLogin设置为false,并在客户端上指定了idp(这将按预期添加ACR)。任何帮助将不胜感激。
Server Startup.cs:
services.AddAuthentication()
.AddMicrosoftAccount("Microsoft", options =>
{
options.ClientId = this.Configuration["Credentials:AzureADClientID"];
options.SignInScheme = "Identity.External";
options.ClientSecret = this.Configuration["Credentials:AzureADClientSecret"];
options.AuthorizationEndpoint = this.Configuration["IdentityServer:AzureADAuthorisationEndpoint"];
options.TokenEndpoint = this.Configuration["IdentityServer:AzureADTokenEndpoint"];
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.Cookie.Name = defaultSecurityPolicy.AuthenticationCookieName;
options.Cookie.Expiration = TimeSpan.FromMinutes(defaultSecurityPolicy.CookieValidForMinutes);
options.LoginPath = "/LogIn";
options.SlidingExpiration = true;
options.AccessDeniedPath = "/error/403";
options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
});
服务器AuthenticationController.cs
[HttpGet("login")]
public async Task<IActionResult> Login(string username, string returnUrl)
{
await this.HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
var context = await this.interactionService.GetAuthorizationContextAsync(returnUrl);
if (context?.IdP != null)
{
var url = returnUrl;
var redirectUrl = this.Url.Action(nameof(this.ExternalLoginCallback), new { returnUrl = url });
var properties = this.signInManager.ConfigureExternalAuthenticationProperties("Microsoft", redirectUrl);
return this.Challenge(properties, "Microsoft");
}
var vm = new LoginViewModel { Username = username, ReturnUrl = returnUrl };
return this.View(vm);
}
Client Startup.cs
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(o =>
{
o.Cookie.Name = "CookieName";
o.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
o.Cookie.HttpOnly = true;
o.AccessDeniedPath = "/error/403";
o.Events.OnRedirectToAccessDenied = x =>
{
x.HttpContext.Response.StatusCode = 403;
return Task.CompletedTask;
};
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, o =>
{
o.Authority = this.Configuration.GetSection("IdentityServer").GetValue<string>("Url");
o.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
o.ClientId = this.Configuration.GetSection("IdentityServer").GetValue<string>("ClientId");
o.ClientSecret = this.Configuration.GetSection("IdentityServer").GetValue<string>("ClientSecret");
o.RequireHttpsMetadata = true;
o.SaveTokens = true;
o.ResponseType = "code id_token";
o.GetClaimsFromUserInfoEndpoint = true;
o.Scope.Add("openid profile");
o.Events.OnRedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
{
n.ProtocolMessage.AcrValues = "idp:Microsoft";
}
return Task.FromResult(0);
};
});