ASP.NET 5探险（5）：利用AzureAD实现单点登录

题记：在ASP.NET 5中虽然继续可以沿用ASP.NET Identity来做验证授权，不过也可以很容易集成支持标准协议的第三方服务，比如Azure Active Directory。

其实，在ASP.NET 5中集成AzureAD，利用其进行验证和授权，是非常简单的。因为：首先Azure Active Directory提供了OAuth2.0、OpenId Connect 1.0、SAML和WS-Federation 1.2标准协议接口；其次微软在ASP.NET 5中移植了集成OpenId Connect的OWIN中间件。所以，只要在ASP.NET 5项目中引用"Microsoft.AspNet.Authentication.OpenIdConnect"这个包，并正确配置AzureAD的连接信息，就可以很容易的进行集成。

大致步骤如下：

1，在config.json文件中添加AzureAD的配置信息：

"AzureAd": {    "ClientId": "[Enter the clientId of your application as obtained from portal, e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",    "Tenant": "[Enter the name of your tenant, e.g. contoso.onmicrosoft.com]",    "AadInstance": "https://login.microsoftonline.com/{0}", // This is the public instance of Azure AD    "PostLogoutRedirectUri":  https://localhost:44322/}

2，修改project.json，引入OpenIdConnect的中间件：

"Microsoft.AspNet.Authentication.OpenIdConnect": "1.0.0-*"

3，在Startup中的ConfigureServices方法里面添加：

// OpenID Connect Authentication Requires Cookie Authservices.Configure<ExternalAuthenticationOptions>(options =>{    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;});

4，在Startup中的Configure方法里面添加：

// Configure the OWIN Pipeline to use Cookie Authenticationapp.UseCookieAuthentication(options => {    // By default, all middleware are passive/not automatic. Making cookie middleware automatic so that it acts on all the messages.    options.AutomaticAuthentication = true;

});

// Configure the OWIN Pipeline to use OpenId Connect Authenticationapp.UseOpenIdConnectAuthentication(options =>{    options.ClientId = Configuration.Get("AzureAd:ClientId");    options.Authority = String.Format(Configuration.Get("AzureAd:AadInstance"), Configuration.Get("AzureAd:Tenant"));    options.PostLogoutRedirectUri = Configuration.Get("AzureAd:PostLogoutRedirectUri");    options.Notifications = new OpenIdConnectAuthenticationNotifications    {        AuthenticationFailed = OnAuthenticationFailed,    };});

5，Startup的OnAuthenticationFailed方法为：

private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> notification){    notification.HandleResponse();    notification.Response.Redirect("/Home/Error?message=" + notification.Exception.Message);    return Task.FromResult(0);}

.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

6，添加一个名为AccountController的Controller：

public class AccountController : Controller{    // GET: /Account/Login    [HttpGet]    public IActionResult Login()    {        if (Context.User == null || !Context.User.Identity.IsAuthenticated)            return new ChallengeResult(OpenIdConnectAuthenticationDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = "/" });        return RedirectToAction("Index", "Home");    }

    // GET: /Account/LogOff    [HttpGet]    public IActionResult LogOff()    {        if (Context.User.Identity.IsAuthenticated)        {            Context.Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationScheme);            Context.Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationScheme);        }        return RedirectToAction("Index", "Home");    }}

以上代码也可以到我Fork的完整示例项目中找到：https://github.com/heavenwing/WebApp-OpenIdConnect-AspNet5