asp.net-mvc UseCookieAuthentication 与 UseExternalSignInCookie
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26166826/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
UseCookieAuthentication vs. UseExternalSignInCookie
提问by SiberianGuy
I use Owin to authorize through Google oAuth. Here is how my cookies are configured:
我使用 Owin 通过 Google oAuth 进行授权。以下是我的 cookie 的配置方式:
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Authentication/Login")
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
So am using both UseCookieAuthentication and UseExternalSignInCookie and it seems redundant. Which of these two AuthenticationTypes should I specify for IAuthenticationManager methods (SignIn, SingOUt, etc.)? Or should I keep just one of them?
所以我同时使用 UseCookieAuthentication 和 UseExternalSignInCookie ,这似乎是多余的。我应该为 IAuthenticationManager 方法(SignIn、SingOUT 等)指定这两个 AuthenticationType 中的哪一个?还是我应该只保留其中之一?
Update.What confuses me most is SignIn method:
更新。最让我困惑的是 SignIn 方法:
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
}
So signsout from ExternalCookie, but signs in ApplicationCookie.
所以从 ExternalCookie 退出,但在 ApplicationCookie 中登录。
回答by Badri
You need all of them, if you want Google sign in to work. This is how it works. In the OWIN pipeline, you have three middleware components: (1) the cookie authentication middleware running in active mode, (2) another instance of cookie authentication middleware but running in passive mode, and (3) Google authentication middleware. That will be like so.
如果您希望 Google 登录工作,您需要所有这些。这就是它的工作原理。在 OWIN 管道中,您有三个中间件组件:(1) 以主动模式运行的 cookie 身份验证中间件,(2) 另一个以被动模式运行的 cookie 身份验证中间件实例,以及 (3) 谷歌身份验证中间件。那会是这样。
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
...
}); // Active
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Passive
app.UseGoogleAuthentication(...);
When there is a 401, your user gets redirected to Google. There, your user logs in and Google validates the credential. Google then redirects the user back to your app. At this point, Google authentication middleware gets the login info, applies a grant (read external cookie) and short circuits the OWIN pipeline and redirects to the external callback URL, which corresponds to ExternalLoginCallbackaction method of AccountController. So, at this point when the request comes to your app as a result of redirect, you get the external cookie with the user name and email claims.
当出现 401 时,您的用户会被重定向到 Google。在那里,您的用户登录,Google 验证凭据。然后 Google 会将用户重定向回您的应用。在这一点上,谷歌认证的中间件获取登录信息,申请补助金(读取外部饼干)和短路的OWIN管道重定向到外部回调URL,其对应ExternalLoginCallback的操作方法AccountController。因此,此时当请求由于重定向而到达您的应用程序时,您将获得带有用户名和电子邮件声明的外部 cookie。
In order to read this cookie and retrieve the data (user name, etc) from Google, you use the cookie authentication middleware running in passive mode. Since this middleware runs in passive mode, it must be told to read the cookie. That's what happens when call to AuthenticationManager.GetExternalLoginInfoAsync()is made in the ExternalLoginCallbackaction method. At that point, identity from the external cookie has been established and this identity contains only the name and email claims from Google.
为了读取此 cookie 并从 Google 检索数据(用户名等),您可以使用以被动模式运行的 cookie 身份验证中间件。由于此中间件以被动模式运行,因此必须告诉它读取 cookie。这AuthenticationManager.GetExternalLoginInfoAsync()就是在ExternalLoginCallbackaction 方法中调用 to 时发生的情况。此时,来自外部 cookie 的身份已经建立,并且此身份仅包含来自 Google 的姓名和电子邮件声明。
Typically, at this point you will need to retrieve user specific information from your application data store and add more claims to the identity. So, you call Signouton the external cookie middleware, which will also ensure the external cookie gets no longer sent back by expiring it. So, using the identity information available at that time, UserManager.FindAsyncis called in the ExternalLoginCallbackaction method, which should return the user with all application specific claims. Using that new identity, you call SignInon the cookie authentication middleware running in active mode. This ensures a new cookie is created. Compared to the external cookie, this new cookie contains all the application specific claims. Subsequently, you get this cookie back and the cookie authentication middleware running in active mode actively reads the cookie and establishes identity with complete list of all application specific claims.
通常,此时您需要从应用程序数据存储中检索用户特定信息并向身份添加更多声明。因此,您调用Signout外部 cookie 中间件,这也将确保外部 cookie 不再因过期而被发回。因此,使用当时可用的身份信息,UserManager.FindAsync在ExternalLoginCallbackaction 方法中调用,该方法应返回具有所有应用程序特定声明的用户。使用这个新身份,你打电话SignIn在以主动模式运行的 cookie 身份验证中间件上。这确保创建一个新的 cookie。与外部 cookie 相比,这个新 cookie 包含所有特定于应用程序的声明。随后,您取回此 cookie,并且以主动模式运行的 cookie 身份验证中间件主动读取 cookie 并使用所有应用程序特定声明的完整列表建立身份。
So, if you do not call Signin, you will not be creating that cookie containing all application specific claims. But then it is up to you to use some other mechanism. The out of box behavior is that a local cookie containing all the application specific claims is created through that call to SignInand subsequently read by the cookie middleware running in active mode.
因此,如果您不调用 Signin,您将不会创建包含所有应用程序特定声明的 cookie。但是,您可以使用其他一些机制。开箱即用的行为是,包含所有应用程序特定声明的本地 cookie 是通过该调用创建的SignIn,随后由在活动模式下运行的 cookie 中间件读取。
UPDATE: I have created a blog post to explain how you can get away without using two cookie middleware instances. http://lbadri.wordpress.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/
更新:我创建了一篇博客文章来解释如何在不使用两个 cookie 中间件实例的情况下逃脱。http://lbadri.wordpress.com/2014/10/14/barebones-asp-net-mvc-google-signin-through-owin-middleware/
回答by Jonathan Jansen
"SignOut(DefaultAuthenticationTypes.ExternalCookie)" is to "cleanup, the external cookie" as per Hao Kung's answer https://stackoverflow.com/a/20575643/2710179
“SignOut(DefaultAuthenticationTypes.ExternalCookie)”是按照Hao Kung的回答“清理外部cookie” https://stackoverflow.com/a/20575643/2710179
There is a nice implementation in the Microsoft.aspnet.identity.samples project which you can download from nuget. In this implementation they use:-
Microsoft.aspnet.identity.samples 项目中有一个很好的实现,您可以从 nuget 下载。在这个实现中,他们使用:-
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
"ExternalCookie" is the "Default value used for the ExternalSignInAuthenticationType configured" I believe this means it is used as temporary cookie use to verify the user against an external sight
“ExternalCookie”是“用于配置的 ExternalSignInAuthenticationType 的默认值”我相信这意味着它被用作临时 cookie 来验证用户是否有外部视线
