英文:
What to put for the scheme in AuthenticationHttpContextExtensions.AuthenticateAsync()
问题
I'm using OIDC with Identity Server 4 which is authenticating with Okta.
我正在使用Identity Server 4进行OIDC认证,该认证与Okta集成。
I'm calling var result = await HttpContext.AuthenticateAsync("Identity.External");
in a callback method.
我在回调方法中调用了var result = await HttpContext.AuthenticateAsync("Identity.External");
。
I chose Identity.External
as the scheme because I noticed that was the name of the cookie in the request to the callback method:
我选择Identity.External
作为方案,因为我注意到这是请求到回调方法的cookie的名称:
However, I realised I could rename this cookie using this code in Startup.ConfigureServices()
:
然而,我意识到我可以使用Startup.ConfigureServices()
中的这段代码来重命名此cookie:
services.ConfigureExternalCookie(config =>
{
config.Cookie.Name = "test12";
});
But after renaming the cookie, the call to HttpContext.AuthenticateAsync("Identity.External")
still works, so it appears that the scheme name has nothing to do with this cookie name.
但是,在重命名cookie后,调用HttpContext.AuthenticateAsync("Identity.External")
仍然有效,因此似乎方案名称与此cookie名称无关。
How do we know what string value to put in there?
我们如何知道要放入哪个字符串值?
Is there a list of acceptable values somewhere?
是否有可接受的值列表?
Here's my Startup.ConfigureServices()
:
这是我的Startup.ConfigureServices()
:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
options.Authority = "oktaUrlHere";
options.ClientId = "clientIdHere";
options.ClientSecret = "clientSecretHere";
options.SaveTokens = true;
options.ResponseType = "code";
options.Scope.Add("groups");
options.Scope.Add("email");
options.Events = new CustomOpenIdConnectEvents
{
// ...
};
});
UPDATE:
I tried prepending the scheme with "1" just to see what would happen:
我尝试在方案前加上“1”只是为了看看会发生什么:
var result = await HttpContext.AuthenticateAsync("1Identity.External");
It returned this error which contains a list of registered schemes:
它返回了包含注册方案列表的错误:
An unhandled exception occurred while processing the request.
未处理的异常在处理请求时发生。
InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.
InvalidOperationException: 未为方案'1Identity.External'注册身份验证处理程序。
The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().AddSomeAuthHandler?
已注册的方案包括:Identity.Application、Identity.External、Identity.TwoFactorRememberMe、Identity.TwoFactorUserId、idsrv、idsrv.external、Cookies、oidc。您是否忘记调用AddAuthentication().AddSomeAuthHandler?
Are these schemes all registered by default?
这些方案是否都是默认注册的?
Is this documented anywhere?
这是否在任何地方有文档记录?
UPDATE:
I put a breakpoint in the following code to view the values for the properties on options
:
我在以下代码中设置了断点以查看options
上属性的值:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
I can see the default value for DefaultAuthenticateScheme
is Identity.Application
, and the default value for DefaultSignInScheme
is Identity.External
.
我可以看到DefaultAuthenticateScheme
的默认值是Identity.Application
,而DefaultSignInScheme
的默认值是Identity.External
。
Since options.DefaultAuthenticateScheme
has a value, options.DefaultScheme
("Cookies") will not be used.
由于options.DefaultAuthenticateScheme
有值,因此不会使用options.DefaultScheme
("Cookies")。
According to msdn, DefaultAuthenticateScheme
is:
根据msdn,DefaultAuthenticateScheme
是:
used as the default scheme by AuthenticateAsync(HttpContext, String).
用作AuthenticateAsync(HttpContext, String)的默认方案。
If that's the case, why does the scheme passed to AuthenticateAsync()
need to be the value for DefaultSignInScheme
("Identity.External") and not DefaultAuthenticateScheme
("Identity.Application")?
如果是这样,为什么传递给AuthenticateAsync()
的方案需要是DefaultSignInScheme
("Identity.External")的值,而不是DefaultAuthenticateScheme
("Identity.Application")的值?
UPDATE:
In this Duende example, they use:
在这个Duende示例中,他们使用:
services.AddAuthentication()
.AddOpenIdConnect("AAD", "Employee Login", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
// other options omitted
});
and authenticate using:
并且使用以下方式进行身份验证:
var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
which also goes against what the Microsoft documentation says.
这也违反了Microsoft文档的说法。
英文:
I'm using OIDC with Identity Server 4 which is authenticating with Okta.
I'm calling var result = await HttpContext.AuthenticateAsync("Identity.External");
in a callback method.
I chose Identity.External
as the scheme because I noticed that was the name of the cookie in the request to the callback method:
However, I realised I could rename this cookie using this code in Startup.ConfigureServices()
:
services.ConfigureExternalCookie(config =>
{
config.Cookie.Name = "test12";
});
But after renaming the cookie, the call to HttpContext.AuthenticateAsync("Identity.External")
still works, so it appears that the scheme name has nothing to do with this cookie name.
How do we know what string value to put in there?
Is there a list of acceptable values somewhere?
Here's my Startup.ConfigureServices()
:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
options.Authority = "oktaUrlHere";
options.ClientId = "clientIdHere";
options.ClientSecret = "clientSecretHere";
options.SaveTokens = true;
options.ResponseType = "code";
options.Scope.Add("groups");
options.Scope.Add("email");
options.Events = new CustomOpenIdConnectEvents
{
...
};
});
UPDATE:
I tried prepending the scheme with "1" just to see what would happen:
var result = await HttpContext.AuthenticateAsync("1Identity.External");
It returned this error which contains a list of registered schemes:
An unhandled exception occurred while processing the request.
InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.
The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("1Identity.External",...)?
Are these schemes all registered by default?
Is this documented anywhere?
UPDATE:
I put a breakpoint in the following code to view the values for the properties on options
:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
I can see the default value for DefaultAuthenticateScheme
is Identity.Application
, and the default value for DefaultSignInScheme
is Identity.External
.
Since options.DefaultAuthenticateScheme
has a value, options.DefaultScheme
("Cookies"
) will not be used.
According to msdn, DefaultAuthenticateScheme
is:
> used as the default scheme by AuthenticateAsync(HttpContext, String).
If that's the case, why does the scheme passed to AuthenticateAsync()
need to be the value for DefaultSignInScheme
("Identity.External"
) and not DefaultAuthenticateScheme
("Identity.Application"
)?
UPDATE:
In this Duende example, they use:
services.AddAuthentication()
.AddOpenIdConnect("AAD", "Employee Login", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
// other options omitted
});
and authenticate using:
var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
which also goes against what the Microsoft documentation says.
答案1
得分: 1
cookie的名称与你试图做的事情无关。
在客户端配置中,通常会有类似以下的内容:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
...
}).AddOpenIdConnect(options =>
{
...
});
在这个方法中放置的是
HttpContext.AuthenticateAsync("Identity.External")
这是方案的名称。
但是,通常情况下,当你使用OpenIDConnect时,你希望通过OpenIDConnect处理程序来挑战用户,因此,如果你试图实现的目标是要求用户登录,则应该使用类似以下的内容:
HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)
总结一下:
你可以随意命名处理程序,然后注册处理程序处理哪个事件。
services.AddAuthentication(options =>
{
options.DefaultScheme = "MyCookieScheme"; // 除了Challenge之外的所有情况都使用cookie处理程序
options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme", options =>
{
});
然后在代码的其他地方,当你想要要求用户登录时:
// 请使用名称为MyOIDCScheme的处理程序来挑战用户
HttpContext.AuthenticateAsync("MyOIDCScheme");
关于关于这些特定名称的问题,这些名称是由IdentityServer在内部注册的,例如,查看这里的日志:
https://github.com/DuendeSoftware/Support/issues/477
日志输出中表示:
[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid
英文:
the name of the cookie is unrelated to what you are trying to do.
In your Client configuration, you typically have something like this:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
...
}).AddOpenIdConnect(options =>
{
...
});
What you put inside this method
HttpContext.AuthenticateAsync("Identity.External")
Is the name of the scheme.
But, typically, when you use OpenIDConnect, you want to challenge the user via the OpenIDConnect handler, so if what you are trying to achieve is to ask the user to login, then you should use something like this:
HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)
To, summarize:
you can name the handlers whatever you like, and then you register what handler to handle which event.
services.AddAuthentication(options =>
{
options.DefaultScheme = "MyCookieScheme"; //Do use the cookie handler for everyhthing except Challenge
options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme",options =>
{
});
Then later in the code when you want to ask the user to login.
//Please use the handler with the MyOIDCScheme name to challenge the user
HttpContext.AuthenticateAsync("MyOIDCScheme");
About the question about those specific names, the names are registered internally by IdentityServer, for example, see the log here:
https://github.com/DuendeSoftware/Support/issues/477
IT says in the log output:
[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge
[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论