问题

I'm using OIDC with Identity Server 4 which is authenticating with Okta.
我正在使用Identity Server 4进行OIDC认证，该认证与Okta集成。

I'm calling var result = await HttpContext.AuthenticateAsync("Identity.External"); in a callback method.
我在回调方法中调用了var result = await HttpContext.AuthenticateAsync("Identity.External");。

I chose Identity.External as the scheme because I noticed that was the name of the cookie in the request to the callback method:
我选择Identity.External作为方案，因为我注意到这是请求到回调方法的cookie的名称：

However, I realised I could rename this cookie using this code in Startup.ConfigureServices():
然而，我意识到我可以使用Startup.ConfigureServices()中的这段代码来重命名此cookie：

services.ConfigureExternalCookie(config =>
{
config.Cookie.Name = "test12";
});

But after renaming the cookie, the call to HttpContext.AuthenticateAsync("Identity.External") still works, so it appears that the scheme name has nothing to do with this cookie name.
但是，在重命名cookie后，调用HttpContext.AuthenticateAsync("Identity.External")仍然有效，因此似乎方案名称与此cookie名称无关。

How do we know what string value to put in there?
我们如何知道要放入哪个字符串值？

Is there a list of acceptable values somewhere?
是否有可接受的值列表？

Here's my Startup.ConfigureServices():
这是我的Startup.ConfigureServices()：

services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
options.Authority = "oktaUrlHere";
options.ClientId = "clientIdHere";
options.ClientSecret = "clientSecretHere";
options.SaveTokens = true;
options.ResponseType = "code";
options.Scope.Add("groups");
options.Scope.Add("email");
options.Events = new CustomOpenIdConnectEvents
{
// ...
};
});

UPDATE:

I tried prepending the scheme with "1" just to see what would happen:
我尝试在方案前加上“1”只是为了看看会发生什么：

var result = await HttpContext.AuthenticateAsync("1Identity.External");

It returned this error which contains a list of registered schemes:
它返回了包含注册方案列表的错误：

An unhandled exception occurred while processing the request.
未处理的异常在处理请求时发生。

InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.
InvalidOperationException: 未为方案'1Identity.External'注册身份验证处理程序。

The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().AddSomeAuthHandler?
已注册的方案包括：Identity.Application、Identity.External、Identity.TwoFactorRememberMe、Identity.TwoFactorUserId、idsrv、idsrv.external、Cookies、oidc。您是否忘记调用AddAuthentication().AddSomeAuthHandler？

Are these schemes all registered by default?
这些方案是否都是默认注册的？

Is this documented anywhere?
这是否在任何地方有文档记录？

UPDATE:

I put a breakpoint in the following code to view the values for the properties on options:
我在以下代码中设置了断点以查看options上属性的值：

services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})

I can see the default value for DefaultAuthenticateScheme is Identity.Application, and the default value for DefaultSignInScheme is Identity.External.
我可以看到DefaultAuthenticateScheme的默认值是Identity.Application，而DefaultSignInScheme的默认值是Identity.External。

Since options.DefaultAuthenticateScheme has a value, options.DefaultScheme ("Cookies") will not be used.
由于options.DefaultAuthenticateScheme有值，因此不会使用options.DefaultScheme（"Cookies"）。

According to msdn, DefaultAuthenticateScheme is:
根据msdn，DefaultAuthenticateScheme是：

used as the default scheme by AuthenticateAsync(HttpContext, String).
用作AuthenticateAsync(HttpContext, String)的默认方案。

If that's the case, why does the scheme passed to AuthenticateAsync() need to be the value for DefaultSignInScheme ("Identity.External") and not DefaultAuthenticateScheme ("Identity.Application")?
如果是这样，为什么传递给AuthenticateAsync()的方案需要是DefaultSignInScheme（"Identity.External"）的值，而不是DefaultAuthenticateScheme（"Identity.Application"）的值？

UPDATE:

In this Duende example, they use:
在这个Duende示例中，他们使用：

services.AddAuthentication()
.AddOpenIdConnect("AAD", "Employee Login", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

    // other options omitted
});

and authenticate using:
并且使用以下方式进行身份验证：

var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

which also goes against what the Microsoft documentation says.
这也违反了Microsoft文档的说法。

    services.ConfigureExternalCookie(config =>
    {                
        config.Cookie.Name = "test12";
    });

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
    options.Authority = "oktaUrlHere";
    options.ClientId = "clientIdHere";
    options.ClientSecret = "clientSecretHere";
    options.SaveTokens = true;
    options.ResponseType = "code";
    options.Scope.Add("groups");
    options.Scope.Add("email");
    options.Events = new CustomOpenIdConnectEvents
    {
        ...
    };
});

var result = await HttpContext.AuthenticateAsync("1Identity.External");

An unhandled exception occurred while processing the request.
InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.

The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("1Identity.External",...)?

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})

services.AddAuthentication()
    .AddOpenIdConnect("AAD", "Employee Login", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        // other options omitted
    });

var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

答案1

得分: 1

cookie的名称与你试图做的事情无关。

在客户端配置中，通常会有类似以下的内容：

services.AddAuthentication(options =>
{
	options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
   ...
}).AddOpenIdConnect(options =>
{
   ...
});

在这个方法中放置的是

HttpContext.AuthenticateAsync("Identity.External")

这是方案的名称。

但是，通常情况下，当你使用OpenIDConnect时，你希望通过OpenIDConnect处理程序来挑战用户，因此，如果你试图实现的目标是要求用户登录，则应该使用类似以下的内容：

HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)

总结一下：

你可以随意命名处理程序，然后注册处理程序处理哪个事件。

services.AddAuthentication(options =>
{
    options.DefaultScheme = "MyCookieScheme";  // 除了Challenge之外的所有情况都使用cookie处理程序
    options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme", options =>
{
});

然后在代码的其他地方，当你想要要求用户登录时：

// 请使用名称为MyOIDCScheme的处理程序来挑战用户
HttpContext.AuthenticateAsync("MyOIDCScheme");

关于关于这些特定名称的问题，这些名称是由IdentityServer在内部注册的，例如，查看这里的日志：
https://github.com/DuendeSoftware/Support/issues/477

日志输出中表示：

[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid

services.AddAuthentication(options =>
{
	options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
   ...

}).AddOpenIdConnect(options =>
{
   ...
});

HttpContext.AuthenticateAsync("Identity.External") 

HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)

services.AddAuthentication(options =>
{
    options.DefaultScheme = "MyCookieScheme";		//Do use the cookie handler for everyhthing except Challenge
    options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme",options =>
{
});

//Please use the handler with the MyOIDCScheme name to challenge the user 
HttpContext.AuthenticateAsync("MyOIDCScheme");

[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid