What to put for the scheme in AuthenticationHttpContextExtensions.AuthenticateAsync()

huangapple go评论73阅读模式
英文:

What to put for the scheme in AuthenticationHttpContextExtensions.AuthenticateAsync()

问题

I'm using OIDC with Identity Server 4 which is authenticating with Okta.
我正在使用Identity Server 4进行OIDC认证,该认证与Okta集成。

I'm calling var result = await HttpContext.AuthenticateAsync("Identity.External"); in a callback method.
我在回调方法中调用了var result = await HttpContext.AuthenticateAsync("Identity.External");

I chose Identity.External as the scheme because I noticed that was the name of the cookie in the request to the callback method:
我选择Identity.External作为方案,因为我注意到这是请求到回调方法的cookie的名称:

However, I realised I could rename this cookie using this code in Startup.ConfigureServices():
然而,我意识到我可以使用Startup.ConfigureServices()中的这段代码来重命名此cookie:

services.ConfigureExternalCookie(config =>
{
config.Cookie.Name = "test12";
});

But after renaming the cookie, the call to HttpContext.AuthenticateAsync("Identity.External") still works, so it appears that the scheme name has nothing to do with this cookie name.
但是,在重命名cookie后,调用HttpContext.AuthenticateAsync("Identity.External")仍然有效,因此似乎方案名称与此cookie名称无关。

How do we know what string value to put in there?
我们如何知道要放入哪个字符串值?

Is there a list of acceptable values somewhere?
是否有可接受的值列表?

Here's my Startup.ConfigureServices():
这是我的Startup.ConfigureServices()

services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
options.Authority = "oktaUrlHere";
options.ClientId = "clientIdHere";
options.ClientSecret = "clientSecretHere";
options.SaveTokens = true;
options.ResponseType = "code";
options.Scope.Add("groups");
options.Scope.Add("email");
options.Events = new CustomOpenIdConnectEvents
{
// ...
};
});

UPDATE:

I tried prepending the scheme with "1" just to see what would happen:
我尝试在方案前加上“1”只是为了看看会发生什么:

var result = await HttpContext.AuthenticateAsync("1Identity.External");

It returned this error which contains a list of registered schemes:
它返回了包含注册方案列表的错误:

An unhandled exception occurred while processing the request.
未处理的异常在处理请求时发生。

InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.
InvalidOperationException: 未为方案'1Identity.External'注册身份验证处理程序。

The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().AddSomeAuthHandler?
已注册的方案包括:Identity.Application、Identity.External、Identity.TwoFactorRememberMe、Identity.TwoFactorUserId、idsrv、idsrv.external、Cookies、oidc。您是否忘记调用AddAuthentication().AddSomeAuthHandler

Are these schemes all registered by default?
这些方案是否都是默认注册的?

Is this documented anywhere?
这是否在任何地方有文档记录?

UPDATE:

I put a breakpoint in the following code to view the values for the properties on options:
我在以下代码中设置了断点以查看options上属性的值:

services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})

I can see the default value for DefaultAuthenticateScheme is Identity.Application, and the default value for DefaultSignInScheme is Identity.External.
我可以看到DefaultAuthenticateScheme的默认值是Identity.Application,而DefaultSignInScheme的默认值是Identity.External

Since options.DefaultAuthenticateScheme has a value, options.DefaultScheme ("Cookies") will not be used.
由于options.DefaultAuthenticateScheme有值,因此不会使用options.DefaultScheme("Cookies")。

According to msdn, DefaultAuthenticateScheme is:
根据msdn,DefaultAuthenticateScheme是:

used as the default scheme by AuthenticateAsync(HttpContext, String).
用作AuthenticateAsync(HttpContext, String)的默认方案。

If that's the case, why does the scheme passed to AuthenticateAsync() need to be the value for DefaultSignInScheme ("Identity.External") and not DefaultAuthenticateScheme ("Identity.Application")?
如果是这样,为什么传递给AuthenticateAsync()的方案需要是DefaultSignInScheme("Identity.External")的值,而不是DefaultAuthenticateScheme("Identity.Application")的值?

UPDATE:

In this Duende example, they use:
在这个Duende示例中,他们使用:

services.AddAuthentication()
.AddOpenIdConnect("AAD", "Employee Login", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

    // other options omitted
});

and authenticate using:
并且使用以下方式进行身份验证:

var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

which also goes against what the Microsoft documentation says.
这也违反了Microsoft文档的说法。

英文:

I'm using OIDC with Identity Server 4 which is authenticating with Okta.

I'm calling var result = await HttpContext.AuthenticateAsync("Identity.External"); in a callback method.

I chose Identity.External as the scheme because I noticed that was the name of the cookie in the request to the callback method:
What to put for the scheme in AuthenticationHttpContextExtensions.AuthenticateAsync()

However, I realised I could rename this cookie using this code in Startup.ConfigureServices():

    services.ConfigureExternalCookie(config =>
    {                
        config.Cookie.Name = "test12";
    });

What to put for the scheme in AuthenticationHttpContextExtensions.AuthenticateAsync()

But after renaming the cookie, the call to HttpContext.AuthenticateAsync("Identity.External") still works, so it appears that the scheme name has nothing to do with this cookie name.

How do we know what string value to put in there?

Is there a list of acceptable values somewhere?

Here's my Startup.ConfigureServices():

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; // "Cookies"
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", "OpenIdConnect", options =>
{
    options.Authority = "oktaUrlHere";
    options.ClientId = "clientIdHere";
    options.ClientSecret = "clientSecretHere";
    options.SaveTokens = true;
    options.ResponseType = "code";
    options.Scope.Add("groups");
    options.Scope.Add("email");
    options.Events = new CustomOpenIdConnectEvents
    {
        ...
    };
});

UPDATE:

I tried prepending the scheme with "1" just to see what would happen:

var result = await HttpContext.AuthenticateAsync("1Identity.External");

It returned this error which contains a list of registered schemes:

An unhandled exception occurred while processing the request.
InvalidOperationException: No authentication handler is registered for the scheme '1Identity.External'.

The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, idsrv, idsrv.external, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("1Identity.External",...)?

Are these schemes all registered by default?

Is this documented anywhere?

UPDATE:

I put a breakpoint in the following code to view the values for the properties on options:

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})

I can see the default value for DefaultAuthenticateScheme is Identity.Application, and the default value for DefaultSignInScheme is Identity.External.

Since options.DefaultAuthenticateScheme has a value, options.DefaultScheme ("Cookies") will not be used.

According to msdn, DefaultAuthenticateScheme is:

> used as the default scheme by AuthenticateAsync(HttpContext, String).

If that's the case, why does the scheme passed to AuthenticateAsync() need to be the value for DefaultSignInScheme ("Identity.External") and not DefaultAuthenticateScheme ("Identity.Application")?

UPDATE:

In this Duende example, they use:

services.AddAuthentication()
    .AddOpenIdConnect("AAD", "Employee Login", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

        // other options omitted
    });

and authenticate using:

var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);

which also goes against what the Microsoft documentation says.

答案1

得分: 1

cookie的名称与你试图做的事情无关。

在客户端配置中,通常会有类似以下的内容:

services.AddAuthentication(options =>
{
	options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
   ...
}).AddOpenIdConnect(options =>
{
   ...
});

在这个方法中放置的是

HttpContext.AuthenticateAsync("Identity.External")

这是方案的名称。

但是,通常情况下,当你使用OpenIDConnect时,你希望通过OpenIDConnect处理程序来挑战用户,因此,如果你试图实现的目标是要求用户登录,则应该使用类似以下的内容:

HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)

总结一下:

你可以随意命名处理程序,然后注册处理程序处理哪个事件。

services.AddAuthentication(options =>
{
    options.DefaultScheme = "MyCookieScheme";  // 除了Challenge之外的所有情况都使用cookie处理程序
    options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme", options =>
{
});

然后在代码的其他地方,当你想要要求用户登录时:

// 请使用名称为MyOIDCScheme的处理程序来挑战用户
HttpContext.AuthenticateAsync("MyOIDCScheme");

关于关于这些特定名称的问题,这些名称是由IdentityServer在内部注册的,例如,查看这里的日志:
https://github.com/DuendeSoftware/Support/issues/477

日志输出中表示:

[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid
英文:

the name of the cookie is unrelated to what you are trying to do.

In your Client configuration, you typically have something like this:

services.AddAuthentication(options =>
{
	options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}).AddCookie(opt =>
{
   ...

}).AddOpenIdConnect(options =>
{
   ...
});

What you put inside this method

HttpContext.AuthenticateAsync("Identity.External") 

Is the name of the scheme.

But, typically, when you use OpenIDConnect, you want to challenge the user via the OpenIDConnect handler, so if what you are trying to achieve is to ask the user to login, then you should use something like this:

HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme)

To, summarize:

you can name the handlers whatever you like, and then you register what handler to handle which event.

services.AddAuthentication(options =>
{
    options.DefaultScheme = "MyCookieScheme";		//Do use the cookie handler for everyhthing except Challenge
    options.DefaultChallengeScheme = "MyOIDCScheme";
}).AddCookie("MyCookieScheme", opt =>
{
}).AddOpenIdConnect("MyOIDCScheme",options =>
{
});

Then later in the code when you want to ask the user to login.

//Please use the handler with the MyOIDCScheme name to challenge the user 
HttpContext.AuthenticateAsync("MyOIDCScheme");

About the question about those specific names, the names are registered internally by IdentityServer, for example, see the log here:
https://github.com/DuendeSoftware/Support/issues/477

IT says in the log output:

[13:35:16 Information] Duende.IdentityServer.Startup
Using the default authentication scheme Identity.Application for IdentityServer

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for authentication

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-in

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.External as default ASP.NET Core scheme for sign-out

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for challenge

[13:35:16 Debug] Duende.IdentityServer.Startup
Using Identity.Application as default ASP.NET Core scheme for forbid

huangapple
  • 本文由 发表于 2023年5月10日 15:33:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76215954.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定