Asp.net Identity using password and Azure Active D

2019-02-08 07:54发布

问题:

I'm building an ASP.NET MVC 5 web site using Asp.net Identity (OWIN) and want to support both traditional username/password authentication as well as authentication against Azure Active Directory. This app does not need to authenticate against Microsoft IDs (Live IDs), Facebook, Twitter or any of the other external providers. The closest SO question I found is this one: How to do both Azure Active Directory Single Sign On and Forms Authentications on ASP.NET MVC

I've looked at the samples that get created when you create a project using the "Individual User Accounts" option as well as the "Work and School Accounts" option in VS 2015. I have authentication working well individually; it's only when I try to combine them that I'm running into problems.

In my Startup_Auth.cs file, I am configuring OWIN like this:

    public void ConfigureAuth(IAppBuilder app)
    {

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        //app.UseCookieAuthentication(new CookieAuthenticationOptions { });

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
            LoginPath = new PathString("/account/sign-in")
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidateIssuer = false,
                },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    SecurityTokenValidated = (context) => 
                    {
                        return Task.FromResult(0);
                    },
                    AuthorizationCodeReceived = (context) =>
                    {
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = (context) =>
                    {
                        context.OwinContext.Response.Redirect("/Home/Error");
                        context.HandleResponse(); // Suppress the exception
                        return Task.FromResult(0);
                    }
                }
            }
        );
    }  

This configuration works for password authentication, but doesn't work for AAD authentication. To enable AAD authentication I need to either comment out the line setting the AuthenticationType

AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,

Or, just set CookieAuthentication with no values.

app.UseCookieAuthentication(new CookieAuthenticationOptions { });

I'd guess that there is a relatively simple approach to this and would appreciate some ideas on where to start looking.

回答1:

I searched examples from Microsoft. And all of them look like your solution. Look here:

  1. WebApp-WSFederation-DotNet
  2. WebApp-MultiTenant-OpenIdConnect-DotNet
  3. WebApp-OpenIDConnect-DotNet

Another example is here with WindowsAzureActiveDirectoryBearerAuthenticationOptions



回答2:

Just recently Damian Edwards from the ASP.NET team open sourced their community standup website on github. They are using Azure AD so I hope it helps in the right direction, I unfortunately don't have any experience with Azure AD.

Here is also the youtube video of the standup where they talk about it, I think there are a few tips and maybe hints which you might be able to make use of.



回答3:

I realize that this is an old question. I am potentially looking to do something similar but probably more like ASP.Net identity auth to more than one Azure AD tenant. I found this Integrating Azure AD into ASP.NET Core where this statement:

...then leverage the OnTokenValidated notification to implement your own issuer validation logic depending on which tenants you want to support (any tenant, Microsoft Account + specific list of Azure AD, single Azure AD, just Microsoft Account, etc)...

leads me to believe that the sample code there may hold the key to this mixed auth scenario.