Sitecore 配置 Oauth2.0 OpenId Connect
2024-04-12 21:44:37
写好参数通过Config 配置到 sitecore pipeline 即可
public class OpenIdIdentityProvider : IdentityProvidersProcessor{protected override string IdentityProviderName => OpenIdModel.IdentityProvider;public OpenIdIdentityProvider(FederatedAuthenticationConfiguration federatedAuthenticationConfiguration, ICookieManager cookieManager, BaseSettings settings) : base(federatedAuthenticationConfiguration, cookieManager, settings){}protected override void ProcessCore(IdentityProvidersArgs args){Assert.ArgumentNotNull(args, nameof(args));try{IdentityProvider identityProvider = GetIdentityProvider();string authenticationType = GetAuthenticationType();string prefix = Settings.GetSetting(OpenIdModel.OpenIdPrefix);string clientId = Settings.GetSetting(OpenIdModel.ClientId);string authority = $"{Sitecore.StringUtil.EnsurePostfix('/', prefix)}{Settings.GetSetting(OpenIdModel.AuthorizeEndpoint)}";string metaAddress = Settings.GetSetting(OpenIdModel.MetaAddress);string redirectUri = Settings.GetSetting(OpenIdModel.RedirectURI);string logout = Settings.GetSetting(OpenIdModel.PostLogoutRedirectURI);var options = new OpenIdConnectAuthenticationOptions(authenticationType){Caption = identityProvider.Caption,AuthenticationType = authenticationType,AuthenticationMode = AuthenticationMode.Passive,ResponseType = OpenIdConnectResponseType.Code,ClientId = clientId,CookieManager = CookieManager,MetadataAddress = metaAddress,RedirectUri = redirectUri,Authority = authority,UseTokenLifetime = true,RedeemCode = true,SaveTokens = true,Scope = $"{OpenIdConnectScope.OpenIdProfile} {clientId}",ResponseMode = OpenIdConnectResponseMode.Query,PostLogoutRedirectUri = logout,TokenValidationParameters = new TokenValidationParameters() { NameClaimType = "name" },Notifications = new OpenIdConnectAuthenticationNotifications{RedirectToIdentityProvider = context =>{if (context.ProtocolMessage.RequestType.Equals(OpenIdConnectRequestType.Authentication)){string codeVerifier = CryptoRandom.CreateUniqueId(32);string codeChallenge;using (SHA256 sha256 = SHA256.Create()){byte[] challengeBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(codeVerifier));codeChallenge = Base64Url.Encode(challengeBytes);}context.ProtocolMessage.Parameters.Add("code_challenge", codeChallenge);context.ProtocolMessage.Parameters.Add("code_challenge_method", "S256");RememberCodeVerifier(context, codeVerifier);}return Task.CompletedTask;},AuthorizationCodeReceived = context =>{// 验证通过,收到code 和state,触发这里的logic, 这里写上,自动呼叫获取id_token 的logicHelper.Logger.Info($"AuthorizationCodeReceived");string codeVerifier = RetrieveCodeVerifier(context);context.TokenEndpointRequest.SetParameter("code_verifier", codeVerifier);//context.AuthenticationTicket.Identity.ApplyClaimsTransformations(new TransformationContext(FederatedAuthenticationConfiguration, identityProvider));return Task.CompletedTask;},SecurityTokenValidated = context =>{//收到最终我们需要的id_token时,触发这里Helper.Logger.Info($"SecurityTokenValidated");context.AuthenticationTicket.Identity.ApplyClaimsTransformations(new TransformationContext(FederatedAuthenticationConfiguration, identityProvider));return Task.CompletedTask;},AuthenticationFailed = context =>{Helper.Logger.Info($"AuthenticationFailed");context.HandleResponse();Helper.Logger.Error(context.Exception.ToString(), context.Exception);context.Response.Redirect(logout);return Task.FromResult(0);},SecurityTokenReceived = context =>{Helper.Logger.Info($"SecurityTokenReceived");return Task.CompletedTask;}, }};args.App.UseOpenIdConnectAuthentication(options);}catch (Exception ex){Helper.Logger.Error(ex.ToString(), ex);}}private void RememberCodeVerifier(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context, string codeVerifier){var properties = new AuthenticationProperties();properties.Dictionary.Add("cv", codeVerifier);context.Options.CookieManager.AppendResponseCookie(context.OwinContext,GetCodeVerifierKey(context.ProtocolMessage.State),Convert.ToBase64String(Encoding.UTF8.GetBytes(context.Options.StateDataFormat.Protect(properties))),new CookieOptions{HttpOnly = true,Secure = context.Request.IsSecure,Expires = DateTime.UtcNow + context.Options.ProtocolValidator.NonceLifetime});}private string RetrieveCodeVerifier(AuthorizationCodeReceivedNotification context){string key = GetCodeVerifierKey(context.ProtocolMessage.State);string codeVerifierCookie = context.Options.CookieManager.GetRequestCookie(context.OwinContext, key);if (codeVerifierCookie != null){CookieOptions cookieOptions = new CookieOptions{HttpOnly = true,Secure = context.Request.IsSecure};context.Options.CookieManager.DeleteCookie(context.OwinContext, key, cookieOptions);}AuthenticationProperties cookieProperties = context.Options.StateDataFormat.Unprotect(Encoding.UTF8.GetString(Convert.FromBase64String(codeVerifierCookie)));cookieProperties.Dictionary.TryGetValue("cv", out var codeVerifier);return codeVerifier;}private string GetCodeVerifierKey(string state){using (var hash = SHA256.Create())return $"{OpenIdConnectAuthenticationDefaults.CookiePrefix}cv.{Convert.ToBase64String(hash.ComputeHash(Encoding.UTF8.GetBytes(state)))}";}}
config 如下:
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:role="http://www.sitecore.net/xmlconfig/role/" xmlns:environment="http://www.sitecore.net/xmlconfig/environment/"><sitecore><sc.variable name="OpenIdTenant" value="xxxx" /> <!-- your data --><sc.variable name="OpenIdSignInUpPage" value="xxxx" /> <!-- your data --><settings><setting name="OpenIdPrefix" value="$(OpenIdTenant)/$(OpenIdSignInUpPage)/oauth2/v2.0" /><setting name="ClientId" value="xxxx" /> <!-- your data --><setting name="MetaAddress" value="$(OpenIdTenant)/$(OpenIdSignInUpPage)/v2.0/.well-known/openid-configuration" /><setting name="AuthorizeEndpoint" value="authorize" /><setting name="TokenEndpoint" value="token" /><setting name="LogoutEndpoint" value="logout" /><setting name="PostLogoutRedirectURI" value="xxxx" /> <!-- your data --><setting name="RedirectURI" value="xxxxx" /> <!-- your data --></settings><pipelines><owin.identityProviders><processor type="namespance.className, dll Name" resolve="true" /></owin.identityProviders></pipelines><federatedAuthentication><identityProviders hint="list:AddIdentityProvider"><identityProvider id="OpenId" type="Sitecore.Owin.Authentication.Configuration.DefaultIdentityProvider, Sitecore.Owin.Authentication"><param desc="name">$(id)</param><param desc="domainManager" type="Sitecore.Abstractions.BaseDomainManager" resolve="true" /><caption>Sign-in with Open Id</caption><!-- Update your domain if not default --><domain>extranet</domain><icon>/sitecore/shell/themes/standard/Images/24x24/msazure.png</icon><transformations hint="list:AddTransformation"><transformation name="idp" value="OpenId" type="Sitecore.Owin.Authentication.Services.SetIdpClaimTransform, Sitecore.Owin.Authentication" /></transformations></identityProvider></identityProviders><propertyInitializer type="Sitecore.Owin.Authentication.Services.PropertyInitializer, Sitecore.Owin.Authentication"><maps hint="list" resolve="true"><map name="Email claim" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication" resolve="true"><data hint="raw:AddData"><source name="Email" /><target name="Email" /></data></map><map name="Display name claim" type="Sitecore.Owin.Authentication.Services.DefaultClaimToPropertyMapper, Sitecore.Owin.Authentication" resolve="true"><data hint="raw:AddData"><source name="name" /><target name="FullName" /></data></map></maps></propertyInitializer><identityProvidersPerSites><mapEntry name="all" type="Sitecore.Owin.Authentication.Collections.IdentityProvidersPerSitesMapEntry, Sitecore.Owin.Authentication" resolve="true"><sites hint="list" resolve="true"><site>website</site></sites><identityProviders hint="list:AddIdentityProvider"><identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='OpenId']" /></identityProviders><externalUserBuilder type="Sitecore.Owin.Authentication.Services.DefaultExternalUserBuilder, Sitecore.Owin.Authentication" resolve="true"><IsPersistentUser>false</IsPersistentUser></externalUserBuilder></mapEntry></identityProvidersPerSites></federatedAuthentication></sitecore>
</configuration>呼叫 sign in or up 接口
[HttpPost]public ActionResult OnePass(){string idp = "xxx"; // 对应config的idBaseCorePipelineManager corePipelineManager = DependencyResolver.Current.GetService<BaseCorePipelineManager>();GetSignInUrlInfoArgs args = new GetSignInUrlInfoArgs(Sitecore.Context.Site.Name, "/"); //Settings.GetAppSetting("RedirectURI")GetSignInUrlInfoPipeline.Run(corePipelineManager, args);//Get link to IDPvar redirectToIdp = args.Result.FirstOrDefault(z => z.IdentityProvider.Equals(idp, StringComparison.OrdinalIgnoreCase)).Href;PostRedirect(redirectToIdp);return null;}private void PostRedirect(string url){//For security, Login required form post methodResponse.Clear();var sb = new System.Text.StringBuilder();sb.Append("<html>");sb.AppendFormat("<body οnlοad='document.forms[0].submit()'>");sb.AppendFormat("<form action='{0}' method='post'>", url);sb.Append("</form>");sb.Append("</body>");sb.Append("</html>");Response.Write(sb.ToString());Response.End();}
Sitecore 配置 Oauth2.0 OpenId Connect相关推荐
- 通过Keycloak API理解OAuth2与OpenID Connect
文章目录 通过Keycloak API理解OAuth2与OpenID Connect 前言 OAuth2 介绍 OAuth2核心概念 OAuth2 核心数据 JWT OAuth2 flow Autho ...
- 【One by One系列】IdentityServer4(一)OAuth2.0与OpenID Connect 1.0
在微服务场景中,身份认证通常是集中处理,这也是有别于单体应用一把梭哈的模式,其中,在微软微服务白皮书中,提供了两种身份认证模式: 网关,没错,原话是If you're using an API Gat ...
- OpenID Connect
OpenID Connect (Identity, Authentication) + OAuth2.0 = OpenID Connect 基于OAuth2之上构建的身份认证层 支持新的前面id_to ...
- PHP下的Oauth2.0尝试 - OpenID Connect
OpenID Connect OpenID Connect简介 OpenID Connect是基于OAuth 2.0规范族的可互操作的身份验证协议.它使用简单的REST / JSON消息流来实现,和之 ...
- 一个功能完备的.NET开源OpenID Connect/OAuth 2.0框架——IdentityServer3
今天推荐的是我一直以来都在关注的一个开源的OpenID Connect/OAuth 2.0服务框架--IdentityServer3.其支持完整的OpenID Connect/OAuth 2.0标准, ...
- IdentityServer4 ASP.NET Core的OpenID Connect OAuth 2.0框架学习保护API
IdentityServer4 ASP.NET Core的OpenID Connect OAuth 2.0框架学习之保护API. 使用IdentityServer4 来实现使用客户端凭据保护ASP.N ...
- 网关协议——OpenID Connect(身份认证+OAuth2授权)入门指南
OpenID Connect 如果要谈单点登录和身份认证,就不得不谈OpenID Connect (OIDC).最典型的使用实例就是使用Google账户登录其他应用,这一经典的协议模式,为其他厂商的第 ...
- oauth2和jwt_OAuth2,JWT,Open-ID Connect和其他令人困惑的事物
oauth2和jwt 免责声明 如果觉得我必须从一个重要的免责声明开始这篇文章: 不要太相信我要说的话. 我之所以这样说,是因为我们正在讨论安全性. 而且, 当您谈论安全性时,除了100%正确的陈述外 ...
- OAuth2,JWT,Open-ID Connect和其他令人困惑的事物
免责声明 如果觉得我必须从一个重要的免责声明开始这篇文章: 不要太相信我要说的话. 我之所以这样说,是因为我们正在讨论安全性. 而且, 当您谈论安全性时,除了100%正确的陈述外,还有冒任何其他风险的 ...
最新文章
- C++ Primer 5th笔记(chap 13 拷贝控制)实例1
- FineReport报表和FineBI的差别和各自的优势在哪
- Xcode 6.3 Ineligible Devices 临时解决方法
- cheerio api
- cad填充图案乱理石_CAD软件中如何自定义CAD填充图案?
- Linux ls常见的命令选项【转载】
- 通过这本拼图学习Bash
- WCF Transaction
- 极简算法 —— 判断两字符串是否为相同字母的不同顺序组成
- 客户关系管理之会员管理(转)
- tomcat日志配置(停止日志或修改日志路径)
- 关于pidgin群显示NULL 解决办法
- php date 加月_php如何使时间增加一个月
- Qt嵌入式开发的基本认识
- ffmpeg下载m3u8工具大全
- 信息安全密码学:DES算法的核心 E盒、S盒、P盒
- linux如何查看内存ddr几代,如何通过命令查看内存是ddr2还是ddr3的?
- Bootstrap样式之表单样式
- cin.ignore()详解
- 国庆第七日(2014年10月7日17:55:56),随手记,一些关注的OSC软件,花生壳