.NET Core 3.0 веб-API со СПА. Мне удалось настроить WS-Fed в приложении (я бы предпочел, чтобы он был опцией аутентификации по умолчанию, но мне придется разобраться с этой проблемой отдельно, чтобы остаться в теме). Однако я не знаю, как сопоставить претензии с политиками. Насколько мне известно, мое веб-приложение даже не видит передаваемые заявки. Однако, если я проверяю запрос WS-Fed (используя расширение rcFederation SAML, WS-Fed и OAuth tracer Chrome), я вижу следующее:
<wa>wsignin1.0</wa><wctx>CfDJ8EDM5Nd0G5JJs8saEKjHJkooGs9x6SLThlpX9OxrE5JJxOC47qfFpcFh2fXNJJLPRH2iLq_g2HlHjQANaYkVn9FDkG7tvS-aKsWFwlEq4-krvTzBKqlD8wnvN_PPk...</wctx><wresult><t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-06-18T17:02:27.303Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-06-18T18:02:27.303Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://localhost:5001/</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_a7c95193-341a-437d-aa69-ccd02c9ee403" Issuer="http://etrak.com/adfs/services/trust" IssueInstant="2019-06-18T17:02:27.317Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2019-06-18T17:02:27.303Z" NotOnOrAfter="2019-06-18T18:02:27.303Z"><saml:AudienceRestrictionCondition><saml:Audience>https://localhost:5001/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier>john.williams</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>john.williams@etrak.com.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>Williams</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>John</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="Group" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>CN=AdminUsers,OU=Groups,DC=etrak.com,DC=com</saml:AttributeValue><saml:AttributeValue>CN=AnotherTest Prod,OU=Groups,DC=int,DC=etrak.com,DC=com</saml:AttributeValue><saml:AttributeValue>ABCApp_Admin_Dev</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2019-06-18T10:53:38.774Z"><saml:Subject><saml:NameIdentifier>john.williams</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_a7c95193-341a-437d-aa69-ccd02c9ee403"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>Tajh7RowAZ6Pp85uB+WGOzwJhH...</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UHqln08XkYAHJY3.../ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC5jCCAc6gAwIBAgIQJ6cBBiEPuZZLPGDy+XcdsjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBmZWRlcmF0aW9uLmVmd25vdy5jb20wHhcNMTkwNTE0MDgyNzU3WhcNMjAwNTEzMDgyNzU3WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBmZWRlcmF0aW9uLmVmd25vdy5jb20wggEiMA...</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse></wresult>
========================
И это из консоли .NET Core Kestrel
dbug: IdentityServer4.Validation.TokenValidator[0]
Calling into custom token validator: IdentityServer4.Validation.DefaultCus
tomTokenValidator
dbug: IdentityServer4.Validation.TokenValidator[0]
Token validation success
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1560877403,
"exp": 1560881003,
"iss": "https://localhost:5001",
"aud": [
"https://localhost:5001/resources",
"WebApplication12API"
],
"client_id": "WebApplication12",
"sub": "66d62ac0-8802-4a8f-8fd0-959af6280ac9",
"auth_time": 1560877403,
"idp": "WsFederation",
"scope": [
"openid",
"profile",
"WebApplication12API"
],
"amr": "external"
}
}
dbug: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Creating userinfo response
dbug: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Scopes in access token: openid profile WebApplication12API
dbug: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Scopes in access token: openid profile WebApplication12API
dbug: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Requested claim types: sub name family_name given_name middle_name nicknam
e preferred_username profile picture website gender birthdate zoneinfo locale up
dated_at
dbug: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Scopes in access token: openid profile WebApplication12API
info: IdentityServer4.ResponseHandling.UserInfoResponseGenerator[0]
Profile service returned the following claim types: sub preferred_username
name
dbug: IdentityServer4.Endpoints.UserInfoEndpoint[0]
End userinfo request
Часть, которая говорит Requested claim types: sub name family_name given_name middle_name nicknam
e preferred_username profile picture website gender birthdate zoneinfo locale up
Я предполагаю, потому что я просто добавил аутентификацию WS-Fed в свое приложение. При создании приложения .NET Core API + SPA с индивидуальной аутентификацией в VS2019 используется промежуточное программное обеспечение IdentityServer, и я предполагаю, что это запрошенные заявки по умолчанию. Опять же, хотя я не вижу никаких доказательств того, что мои "запрошены" со стороны .NET Core.
Я видел "официальные" документы Microsoft для авторизации на основе утверждений в ASP.NET Core , но, похоже, это означает, что все, что вам нужно, это добавить сопоставление в Startup.cs и добавить Authorize(Policy="PolicyName")
на контроллере.
Так что я не уверен, что мне нужно делать дальше здесь. Я включу, по крайней мере для меня, соответствующие кусочки кода для этой задачи:
Startup.cs
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.SpaServices.AngularCli;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using WebApplication12.Data;
using WebApplication12.Models;
namespace WebApplication12
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<ApplicationUser>()
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
services.AddAuthentication()
.AddIdentityServerJwt()
.AddWsFederation(
authenticationScheme: "WsFederation",
displayName: "Click to Login",
options =>
{
// MetadataAddress represents the Active Directory instance used to authenticate users.
options.MetadataAddress = "https://etrak.com/federationmetadata/2007-06/federationmetadata.xml";
// Wtrealm is the app's identifier in the Active Directory instance.
// For ADFS, use the relying party's identifier, its WS-Federation Passive protocol URL:
options.Wtrealm = "https://localhost:5001/";
});
services.AddMvc(options => options.EnableEndpointRouting = false);
services.AddAuthorization(options =>
{
//I am getting multiple group memberships back which is true, but I just need this group
options.AddPolicy("Admin", policy =>
policy.RequireClaim("http://schemas.xmlsoap.org/claims/Group", "ABCApp_Admin_Dev"));
//I am testing to see if claims auth will work on a claim that just returns one value
options.AddPolicy("OneUser", policy =>
policy.RequireClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "John"));
});
// In production, the Angular files will be served from this directory
services.AddSpaStaticFiles(configuration =>
{
configuration.RootPath = "ClientApp/dist";
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseCors(cors =>
{
cors.AllowAnyHeader();
cors.AllowAnyMethod();
cors.AllowAnyOrigin();
});
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseSpaStaticFiles();
app.UseAuthentication();
app.UseIdentityServer();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller}/{action=Index}/{id?}");
});
app.UseSpa(spa =>
{
// To learn more about options for serving an Angular SPA from ASP.NET Core,
// see https://go.microsoft.com/fwlink/?linkid=864501
spa.Options.SourcePath = "ClientApp";
if (env.IsDevelopment())
{
spa.UseAngularCliServer(npmScript: "start");
}
});
}
}
}
SampleDataController
[Authorize(Policy = "OneUser")]
[Route("api/[controller]")]
public class SampleDataController : Controller
{
private static string[] Summaries = new[]
{
"Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
};
[HttpGet("[action]")]
public IEnumerable<WeatherForecast> WeatherForecasts()
{
//Start: JustTrying
//Checking to see where the claims would be stored. This code didn't do anything for me
var u = (User as ClaimsPrincipal).Claims;
foreach (Claim c in u)
{
var b = c;
}
//end JustTrying
var rng = new Random();
return Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
DateFormatted = DateTime.Now.AddDays(index).ToString("d"),
TemperatureC = rng.Next(-20, 55),
Summary = Summaries[rng.Next(Summaries.Length)]
});
}