如何在单个 Microsoft ASP.NET MVC Web 应用程序中同时支持个人用户帐户和工作或学校帐户？答案

【问题标题】：How can I support both Individual User Accounts and Work or School Accounts in a single Microsoft ASP.NET MVC web application?如何在单个 Microsoft ASP.NET MVC Web 应用程序中同时支持个人用户帐户和工作或学校帐户？
【发布时间】：2019-07-09 18:51:05
【问题描述】：

我想创建一个 ASP.NET MVC Web 应用程序，其中用户身份验证机制基于用户类型。因此，如果单击个人帐户，他将被重定向到应用程序的登录页面。如果他单击公司帐户，那么他将被重定向到 Azure AD 登录页面。实际上，该应用程序将支持基于表单的 ASP.NET Identity 身份验证和多租户 Azure AD 身份验证。

在单个 ASP.NET MVC Web 应用程序中实现此类功能的最佳方式是什么？ 具体来说，我需要对 Startup 类中的中间件代码进行哪些更改？

ASP.NET MVC 版本：5.2

.NET 框架：4.7

Visual Studio IDE：2017 社区

作为参考，如果我在创建全新的 Web 应用程序时选择个人用户帐户模板，我会得到以下代码：

// For more information on configuring authentication, please visit https://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
    // Configure the db context, user manager and signin manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

    // Enable the application to use a cookie to store information for the signed in user
    // and to use a cookie to temporarily store information about a user logging in with a third party login provider
    // Configure the sign in cookie
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
            // Enables the application to validate the security stamp when the user logs in.
            // This is a security feature which is used when you change a password or add an external login to your account.  
            OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                validateInterval: TimeSpan.FromMinutes(30),
                regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
        }
    });            
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

    // Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
    app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5));

    // Enables the application to remember the second login verification factor such as phone or email.
    // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
    // This is similar to the RememberMe option when you log in.
    app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie);

    // Uncomment the following lines to enable logging in with third party login providers
    //app.UseMicrosoftAccountAuthentication(
    //    clientId: "",
    //    clientSecret: "");

    //app.UseTwitterAuthentication(
    //   consumerKey: "",
    //   consumerSecret: "");

    //app.UseFacebookAuthentication(
    //   appId: "",
    //   appSecret: "");

    //app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
    //{
    //    ClientId = "",
    //    ClientSecret = ""
    //});
}

如果我选择Azure AD登录（多个组织），以下是代码：

private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private string appKey = ConfigurationManager.AppSettings["ida:ClientSecret"];
private string graphResourceID = "https://graph.windows.net";
private static string aadInstance = EnsureTrailingSlash(ConfigurationManager.AppSettings["ida:AADInstance"]);
private string authority = aadInstance + "common";
private ApplicationDbContext db = new ApplicationDbContext();

public void ConfigureAuth(IAppBuilder app)
{

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions { });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                // instead of using the default validation (validating against a single issuer value, as we do in line of business apps), 
                // we inject our own multitenant validation logic
                ValidateIssuer = false,
            },
            Notifications = new OpenIdConnectAuthenticationNotifications()
            {
                SecurityTokenValidated = (context) => 
                {
                    return Task.FromResult(0);
                },
                AuthorizationCodeReceived = (context) =>
                {
                    var code = context.Code;

                    ClientCredential credential = new ClientCredential(clientId, appKey);
                    string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
                    string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;

                    AuthenticationContext authContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
                    AuthenticationResult result = authContext.AcquireTokenByAuthorizationCodeAsync(
                        code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID).Result;

                    return Task.FromResult(0);
                },
                AuthenticationFailed = (context) =>
                {
                    context.OwinContext.Response.Redirect("/Home/Error");
                    context.HandleResponse(); // Suppress the exception
                    return Task.FromResult(0);
                }
            }
        });

}

private static string EnsureTrailingSlash(string value)
{
    if (value == null)
    {
        value = string.Empty;
    }

    if (!value.EndsWith("/", StringComparison.Ordinal))
    {
        return value + "/";
    }

    return value;
}

【问题讨论】：

您将不得不实现自己的SignInManager、UserManager 等。不难，接口就在那里。
查看多租户 Azure AD 应用程序 - docs.microsoft.com/en-us/azure/active-directory/develop/…
具体来说，我需要对 Startup 类中的中间件代码进行哪些更改以适应基于某种请求 URL 模式的两种身份验证机制？

标签： asp.net-mvc azure asp.net-identity azure-active-directory

【解决方案1】：

假设您有一个至少名为 Home 的控制器或任何您需要使用 owin 中间件的控制器。

如果使用个人帐户访问应用程序，将使用以下操作。

登录（使用本地或任何类型的身份验证）
注销（从应用程序中注销）

我不打算详细介绍登录和注销，因为我认为您已经实现了它们。

如果想从任何学校或组织帐户登录，您也必须具备这些操作

 public void SignIn()
    {
            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
    }

    public void SignOut()
    {
        // Send an OpenID Connect sign-out request.
        HttpContext.GetOwinContext().Authentication.SignOut(
            OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
    }
    public void EndSession()
    {
        // If AAD sends a single sign-out message to the app, end the user's session, but don't redirect to AAD for sign out.
        HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
    }

    public void UserNotBelongToSystem()
    {
        // If AAD sends a single sign-out message to the app, end the user's session, but don't redirect to AAD for sign out.
        HttpContext.GetOwinContext().Authentication.SignOut(
           OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
    }

然后是启动类

 public  partial class Startup
{
}

以下是使用的命名空间。

using Castle.MicroKernel.Registration;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using System.Collections.Generic;
using System.Configuration;
using System.Globalization;
using System.Runtime.Serialization;
using System.Security.Claims;

启动中有一个方法为

 private static Task RedirectToIdentityProvider(Microsoft.Owin.Security.Notifications.RedirectToIdentityProviderNotification<Microsoft.IdentityModel.Protocols.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> arg)
        {
            string appBaseUrl = arg.Request.Scheme + "://" + arg.Request.Host + arg.Request.PathBase;
            arg.ProtocolMessage.RedirectUri = appBaseUrl + "/";
            arg.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
            arg.ProtocolMessage.Prompt = "login";
            if (arg.ProtocolMessage.State != null)
            {
                var stateQueryString = arg.ProtocolMessage.State.Split('=');
                var protectedState = stateQueryString[1];
                var state = arg.Options.StateDataFormat.Unprotect(protectedState);
                state.Dictionary.Add("mycustomparameter", UtilityFunctions.Encrypt("myvalue"));
                arg.ProtocolMessage.State = stateQueryString[0] + "=" + arg.Options.StateDataFormat.Protect(state);
            }
            return Task.FromResult(0);
        }

通过上述操作，您将自定义值发送给 azure authehtication 提供程序，表明此请求最初是由您生成的。

因为一旦您收到响应，您需要验证是您将请求重定向到身份提供者进行身份验证

 private static Task OnMessageReceived(Microsoft.Owin.Security.Notifications.MessageReceivedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification)
        {
            if (notification.ProtocolMessage.State != null)
            {
                string mycustomparameter;
                var protectedState = notification.ProtocolMessage.State.Split('=')[1];
                var state = notification.Options.StateDataFormat.Unprotect(protectedState);
                state.Dictionary.TryGetValue("mycustomparameter", out mycustomparameter);
                if (UtilityFunctions.Decrypt(mycustomparameter) != "myvalue")
                    throw new System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException();
            }
            return Task.FromResult(0);
        }

以下是在启动时令牌过期的情况下注销或处理用户的方法

 private Task AuthenticationFailed(Microsoft.Owin.Security.Notifications.AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
        {
            //context.HandleResponse();
            //context.Response.Redirect("/Error?message=" + context.Exception.Message);
            return Task.FromResult(0);
        }

        private Task SecurityTokenValidated(Microsoft.Owin.Security.Notifications.SecurityTokenValidatedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
        {
            string userID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;            
            return Task.FromResult(0);
        }

之后，一旦您在 OnMessageReceived 方法中验证了响应，声明就会添加到身份验证令牌中

    private Task AuthorizationCodeReceived(Microsoft.Owin.Security.Notifications.AuthorizationCodeReceivedNotification context)
        {
            var code = context.Code;
            string userID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;

            var _objUser = Users.CheckIfTheUserExistInOurSystem(userID);//check this in system again your choice depends upone the requiement you have
            if (_objUser == null)
            {
                context.HandleResponse();
              //  context.OwinContext.Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
                context.Response.Redirect("Home/UserNotBelongToSystem");// same mehthod added above as to signout 
                // throw new System.IdentityModel.Tokens.SecurityTokenValidationException();
            }
            else
            {
                _objUser.IsAZureAD = true;// setting true to find out at the time of logout where to redirect
               var claims = Users.GetCurrentUserAllClaims(_objUser);//You can create your claims any way you want just getting from other method. and same was used in case of the normal login
                context.AuthenticationTicket.Identity.AddClaims(claims);
 context.OwinContext.Authentication.SignIn(context.AuthenticationTicket.Identity);
                context.HandleResponse();
                context.Response.Redirect("Home/Main");
            }

}

最后但同样重要的是，您可以检查用户声明以查看当前登录的用户是否来自 Azure，以便重定向到特定的注销页面

 if (CurrentUser.IsAZureAD) { LogoutUrl = Url.Content("~/Home/SignOut"); } else { LogoutUrl = Url.Content("~/Home/LogOut");

CurrentUser.IsAZureAD 将无法使用，除非您开设这样的课程

  public class CurrentUser: ClaimsPrincipal
    {
        public CurrentUser(ClaimsPrincipal principal)
            : base(principal)
        {
        }

        public string Name
        {
            get
            {
                // return this.FindFirst(ClaimTypes.Name).Value;
                return this.FindFirst("USER_NAME").Value;
            }
        }


        public bool IsAZureAD
        {
            get
            {
                return Convert.ToBoolean(this.FindFirst("IsAZureAD").Value);
            }
        }
    }

【讨论】：