问题
I have a legacy application that was written using web forms. In this project we started to convert some of the webforms to SPA, angular.js, and WebAPI. The SPA pages communicate directly with the WebAPI. The idea is that eventually, all of the webforms will be converted to the new technology.
For the SPA pages, I've implemented adal.js and for the webforms I'm using ADAL.net. Both are obviously using Azure Active Directory. However, they don't seem to be using the same bearer token, because Single Sign-on is not working. Moving from a webform page to a SPA page requires another login.
How do I get the Single Sign On to work correctly in the project?
My code is below:
public void ConfigureAuth( IAppBuilder app )
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>( );
app.SetDefaultSignInAsAuthenticationType( CookieAuthenticationDefaults.AuthenticationType );
app.UseCookieAuthentication( new CookieAuthenticationOptions( ) );
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
Authority = "https://login.microsoftonline.com/XXXXX.onmicrosoft.com",
PostLogoutRedirectUri = "https://XXXX:4432/gbl/Home.aspx",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse( );
context.Response.Redirect( "/Error?message=" + context.Exception.Message );
return Task.FromResult( 0 );
},
SecurityTokenValidated = async n =>
{
var uniqueName = n.AuthenticationTicket.Identity.FindFirst( "unique_name" ).Value;
var userName = getUserNameFromUniqueName( uniqueName );
var claims = getRoleClaims( n.AuthenticationTicket.Identity ).ToList2( );
claims.Add( new Claim( "unique_name", uniqueName ) );
claims.Add( new Claim( ClaimTypes.Name, userName ) );
claims.Add( new Claim( ClaimTypes.UserData, "" ) );
var profileClaims = new ClaimsTransformer( ).GetTake2ProfileClaims( userName );
claims.AddRange( profileClaims );
var newIdentity = new ClaimsIdentity( n.AuthenticationTicket.Identity.AuthenticationType, "given_name", "roles" );
newIdentity.AddClaims( claims );
n.AuthenticationTicket = new AuthenticationTicket( newIdentity, n.AuthenticationTicket.Properties );
},
}
} );
}
回答1:
ADAL JS and the OpenId Connect middleware aren't really designed to work together - the fact that your app is implemented in webforms or MVC doesn't really make a difference, the issue is that ADAL JS expects to interact with the backend calling Web API secured via OAuth2 bearer tokens, while OpenId Connect expects to secure full postbacks via cookies. For a backgrounder on the two different approaches, see http://www.cloudidentity.com/blog/2014/04/22/authentication-protocols-web-ux-and-web-api/. I think you'll have to decide whether you want to move to a SPA infrastructure, in which case you can use ADAL JS and the OAuth2 middleware but webforms will be a bit awkward (but still possible), or if you want to stick with a postback based design and use OpenId Connect.
来源:https://stackoverflow.com/questions/32321076/combining-adal-net-and-adal-js