我一直在开发带有.NET Core后端(服务)的Angular应用.任务是启用集成身份验证,即使其与本地用户无缝地一起工作,因此我一次登录到我的(连接到本地AD)计算机,Web应用程序使我无需再次登录即可登录.我们一直在使用Identity Server 4,并打算使用它来实现此方案.
I've been developing an Angular app with .NET Core backend (services). The task is to enable an integrated authentication, i.e. make it work with the local user seamlessly, so I login to my (connected to a local AD) machine once and the web application lets me in without the necessity to login a second time. We've been working with Identity Server 4 and intended to implement this scenario using it.
官方网站上有一些有关Windows身份验证的文档(例如,针对Active Directory): docs.identityserver.io/zh-CN/latest/topics/windows.html ,但解释不多.根据我的信息,为使此方案有效,浏览器使用Kerberos或NTLM.IS4文档中都没有提到它们.我缺乏对如何获取本地凭据以及IS4如何知道"用户属于AD的理解.如何确保只有来自特定域的用户才能访问我的应用?
There is a little documentation on the official website concerning the Windows Authentication (e.g. against Active directory): docs.identityserver.io/en/latest/topics/windows.html but it doesn't explain much. As per my info, to make this scenario work the browser utilizes either Kerberos or NTLM. Neither of them is mentioned in the IS4 docs. I'm lacking the understanding of how the local credentials are getting picked up and how IS4 'knows' the user belongs to AD? How I can make sure only the users from a specific domain have access to my app?
我在这里找到了一些有用的东西 github/damienbod/AspNetCoreWindowsAuth 但存在疑问保持不变.即使我能够使用本地帐户访问该应用程序,我也无法理解流程.
I found some working stuff here github/damienbod/AspNetCoreWindowsAuth but questions remain the same. Even though I was able to get to the app with my local account I don't understand the flow.
我希望使用本地网络中的应用程序的用户无需输入登录名/密码即可登录该应用程序(一旦他已经登录到Windows).这可以实现吗?
I expect the user utilizing the app in the local network to log-in to the app without entering the login/password (once he's already logged in to the Windows). Is this something achievable?
推荐答案Identity Server旨在用作身份提供程序,如果您需要与AD对话,则应该看到他们使用IAuthenticationSchemeProvider提出的联合身份验证网关体系结构.Identity Server充当端点并与您的AD对话的地方.
Identity Server is intended to serve as an Identity Provider, if you need to talk with your AD you should see the Federation Gateway architecture they propose using the IAuthenticationSchemeProvider. Where Identity Server acts as an endpoint and talks with your AD.
这是链接:
docs.identityserver.io/en/latest/topics/federation_gateway.html
您可以控制以编程方式访问您的AD,并传递正确的凭据以获取身份验证.该步骤应在您的Identity Server中完成.通过身份验证后,您应该再次重定向到您的应用程序.关于最后一个问题,答案是肯定的.如果您将网站托管在Intranet上并且可以访问AD,则无需捕获用户凭据作为用户输入,就可以按照我所说的方式以编程方式访问AD.
You have the control to programmatically reach your AD and pass the correct credentials to get the authentication. That step should be done in your Identity Server. After you get authenticated you should get redirected to your application again. About your last question, the answer is yes, if you have your website hosted on an intranet and you have the access to your AD, you don't need to capture your credentials as user input, you can programmatically reach the AD as I said.
下面是我用来连接活动目录的代码
Bellow is the code I use to connect with my active directory
在ExternalController类上,当您使用IdentityServer时会得到以下信息:(我不记得我从原始代码中进行了多少更改,但是您应该明白这一点)
On the ExternalController class, you get when you use IdentityServer, you have this:(I don't remember at the top of my head how much I changed from the original code, but you should get the idea)
/// <summary> /// initiate roundtrip to external authentication provider /// </summary> [HttpGet] public async Task<IActionResult> Challenge(string provider, string returnUrl) { if (string.IsNullOrEmpty(returnUrl)) returnUrl = "~/"; // validate returnUrl - either it is a valid OIDC URL or back to a local page if (Url.IsLocalUrl(returnUrl) == false && _interaction.IsValidReturnUrl(returnUrl) == false) { // user might have clicked on a malicious link - should be logged throw new Exception("invalid return URL"); } if (AccountOptions.WindowsAuthenticationSchemeName == provider) { // windows authentication needs special handling return await ProcessWindowsLoginAsync(returnUrl); } else { // start challenge and roundtrip the return URL and scheme var props = new AuthenticationProperties { RedirectUri = Url.Action(nameof(Callback)), Items = { { "returnUrl", returnUrl }, { "scheme", provider }, } }; return Challenge(props, provider); } } private async Task<IActionResult> ProcessWindowsLoginAsync(string returnUrl) { // see if windows auth has already been requested and succeeded var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName); if (result?.Principal is WindowsPrincipal wp) { // we will issue the external cookie and then redirect the // user back to the external callback, in essence, testing windows // auth the same as any other external authentication mechanism var props = new AuthenticationProperties() { RedirectUri = Url.Action("Callback"), Items = { { "returnUrl", returnUrl }, { "scheme", AccountOptions.WindowsAuthenticationSchemeName }, } }; var id = new ClaimsIdentity(AccountOptions.WindowsAuthenticationSchemeName); id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name)); id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name)); // add the groups as claims -- be careful if the number of groups is too large if (AccountOptions.IncludeWindowsGroups) { var wi = wp.Identity as WindowsIdentity; var groups = wi.Groups.Translate(typeof(NTAccount)); var roles = groups.Select(x => new Claim(JwtClaimTypes.Role, x.Value)); id.AddClaims(roles); } await HttpContext.SignInAsync( IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme, new ClaimsPrincipal(id), props); return Redirect(props.RedirectUri); } else { // trigger windows auth // since windows auth don't support the redirect uri, // this URL is re-triggered when we call challenge return Challenge(AccountOptions.WindowsAuthenticationSchemeName); } }如果要使用Azure AD,建议您阅读这篇文章: damienbod/2019/05/17/updating-microsoft-account-logins-in-asp-net-core-with-openid-connect-and-azure-active-directory/
If you want to use Azure AD, I would recommend you to read this article: damienbod/2019/05/17/updating-microsoft-account-logins-in-asp-net-core-with-openid-connect-and-azure-active-directory/
更多推荐
在Angular应用程序中针对本地AD进行身份验证
发布评论