title: “aspnetcore3”
date: 2020-03-26t13:23:27+08:00
draft: false
系列文章目录
- aspnetcore3.1_secutiry源码解析_1_目录
- aspnetcore3.1_secutiry源码解析_2_authentication_核心流程
- aspnetcore3.1_secutiry源码解析_3_authentication_cookies
- aspnetcore3.1_secutiry源码解析_4_authentication_jwtbear
- aspnetcore3.1_secutiry源码解析_5_authentication_oauth
- aspnetcore3.1_secutiry源码解析_6_authentication_openidconnect
- aspnetcore3.1_secutiry源码解析_7_authentication_其他
- aspnetcore3.1_secutiry源码解析_8_authorization_核心项目
- aspnetcore3.1_secutiry源码解析_9_authorization_policy
简介
secutiry的认证目录还有这些项目,基本都是具体的oauth2.0服务商或者其他用的比较少的认证架构,简单看一下,了解一下。
- microsoft.aspnetcore.authentication.certificate
- microsoft.aspnetcore.authentication.facebook
- microsoft.aspnetcore.authentication.google
- microsoft.aspnetcore.authentication.microsoftaccount
- microsoft.aspnetcore.authentication.negotiate
- microsoft.aspnetcore.authentication.twitter
- microsoft.aspnetcore.authentication.wsfederation
oauth2.0服务商
facebook, google,microsoftaccount这几个都可以归为一类,都是oauth2.0的服务商。国内用的比较多的是qq,weixin。我们看一下facebook的代码,其他的原理都是大同小异的,根据不同厂商的差异稍作调整就可以了。
twitter似乎是用的oauth1.0协议。
依赖注入
配置类: facebookoptions,处理器类:facebookhandler
public static class facebookauthenticationoptionsextensions
{
public static authenticationbuilder addfacebook(this authenticationbuilder builder)
=> builder.addfacebook(facebookdefaults.authenticationscheme, _ => { });
public static authenticationbuilder addfacebook(this authenticationbuilder builder, action<facebookoptions> configureoptions)
=> builder.addfacebook(facebookdefaults.authenticationscheme, configureoptions);
public static authenticationbuilder addfacebook(this authenticationbuilder builder, string authenticationscheme, action<facebookoptions> configureoptions)
=> builder.addfacebook(authenticationscheme, facebookdefaults.displayname, configureoptions);
public static authenticationbuilder addfacebook(this authenticationbuilder builder, string authenticationscheme, string displayname, action<facebookoptions> configureoptions)
=> builder.addoauth<facebookoptions, facebookhandler>(authenticationscheme, displayname, configureoptions);
}
配置类 – facebookoptions
配置类继承自oauthoptions,构造函数根据facebook做了一些定制处理,如claim的映射等。
/// <summary>
/// configuration options for <see cref="facebookhandler"/>.
/// </summary>
public class facebookoptions : oauthoptions
{
/// <summary>
/// initializes a new <see cref="facebookoptions"/>.
/// </summary>
public facebookoptions()
{
callbackpath = new pathstring("/signin-facebook");
sendappsecretproof = true;
authorizationendpoint = facebookdefaults.authorizationendpoint;
tokenendpoint = facebookdefaults.tokenendpoint;
userinformationendpoint = facebookdefaults.userinformationendpoint;
scope.add("email");
fields.add("name");
fields.add("email");
fields.add("first_name");
fields.add("last_name");
claimactions.mapjsonkey(claimtypes.nameidentifier, "id");
claimactions.mapjsonsubkey("urn:facebook:age_range_min", "age_range", "min");
claimactions.mapjsonsubkey("urn:facebook:age_range_max", "age_range", "max");
claimactions.mapjsonkey(claimtypes.dateofbirth, "birthday");
claimactions.mapjsonkey(claimtypes.email, "email");
claimactions.mapjsonkey(claimtypes.name, "name");
claimactions.mapjsonkey(claimtypes.givenname, "first_name");
claimactions.mapjsonkey("urn:facebook:middle_name", "middle_name");
claimactions.mapjsonkey(claimtypes.surname, "last_name");
claimactions.mapjsonkey(claimtypes.gender, "gender");
claimactions.mapjsonkey("urn:facebook:link", "link");
claimactions.mapjsonsubkey("urn:facebook:location", "location", "name");
claimactions.mapjsonkey(claimtypes.locality, "locale");
claimactions.mapjsonkey("urn:facebook:timezone", "timezone");
}
/// <summary>
/// check that the options are valid. should throw an exception if things are not ok.
/// </summary>
public override void validate()
{
if (string.isnullorempty(appid))
{
throw new argumentexception(string.format(cultureinfo.currentculture, resources.exception_optionmustbeprovided, nameof(appid)), nameof(appid));
}
if (string.isnullorempty(appsecret))
{
throw new argumentexception(string.format(cultureinfo.currentculture, resources.exception_optionmustbeprovided, nameof(appsecret)), nameof(appsecret));
}
base.validate();
}
// facebook uses a non-standard term for this field.
/// <summary>
/// gets or sets the facebook-assigned appid.
/// </summary>
public string appid
{
get { return clientid; }
set { clientid = value; }
}
// facebook uses a non-standard term for this field.
/// <summary>
/// gets or sets the facebook-assigned app secret.
/// </summary>
public string appsecret
{
get { return clientsecret; }
set { clientsecret = value; }
}
/// <summary>
/// gets or sets if the appsecret_proof should be generated and sent with facebook api calls.
/// this is enabled by default.
/// </summary>
public bool sendappsecretproof { get; set; }
/// <summary>
/// the list of fields to retrieve from the userinformationendpoint.
/// https://developers.facebook.com/docs/graph-api/reference/user
/// </summary>
public icollection<string> fields { get; } = new hashset<string>();
}
处理器类
重写了oauthhanlder的创建凭据方法,其他的都是使用的父类实现。
public class facebookhandler : oauthhandler<facebookoptions>
{
public facebookhandler(ioptionsmonitor<facebookoptions> options, iloggerfactory logger, urlencoder encoder, isystemclock clock)
: base(options, logger, encoder, clock)
{ }
protected override async task<authenticationticket> createticketasync(claimsidentity identity, authenticationproperties properties, oauthtokenresponse tokens)
{
var endpoint = queryhelpers.addquerystring(options.userinformationendpoint, "access_token", tokens.accesstoken);
if (options.sendappsecretproof)
{
endpoint = queryhelpers.addquerystring(endpoint, "appsecret_proof", generateappsecretproof(tokens.accesstoken));
}
if (options.fields.count > 0)
{
endpoint = queryhelpers.addquerystring(endpoint, "fields", string.join(",", options.fields));
}
var response = await backchannel.getasync(endpoint, context.requestaborted);
if (!response.issuccessstatuscode)
{
throw new httprequestexception($"an error occurred when retrieving facebook user information ({response.statuscode}). please check if the authentication information is correct and the corresponding facebook graph api is enabled.");
}
using (var payload = jsondocument.parse(await response.content.readasstringasync()))
{
var context = new oauthcreatingticketcontext(new claimsprincipal(identity), properties, context, scheme, options, backchannel, tokens, payload.rootelement);
context.runclaimactions();
await events.creatingticket(context);
return new authenticationticket(context.principal, context.properties, scheme.name);
}
}
private string generateappsecretproof(string accesstoken)
{
using (var algorithm = new hmacsha256(encoding.ascii.getbytes(options.appsecret)))
{
var hash = algorithm.computehash(encoding.ascii.getbytes(accesstoken));
var builder = new stringbuilder();
for (int i = 0; i < hash.length; i++)
{
builder.append(hash[i].tostring("x2", cultureinfo.invariantculture));
}
return builder.tostring();
}
}
protected override string formatscope(ienumerable<string> scopes)
{
// facebook deviates from the oauth spec here. they require comma separated instead of space separated.
// https://developers.facebook.com/docs/reference/dialogs/oauth
// http://tools.ietf.org/html/rfc6749#section-3.3
return string.join(",", scopes);
}
protected override string formatscope()
=> base.formatscope();
}
microsoft.aspnetcore.authentication.certificate
这个项目是3.1新加的,是做证书校验的,具体的不细说了,不太懂,有兴趣的看巨硬文档
microsoft.aspnetcore.authentication.negotiate
这个也是新增的项目,是做windows校验的,文档如下
microsoft.aspnetcore.authentication.wsfederation
windows的azure active directory认证
黄山市民网:https://www.huangshanshimin.com/
