AspNetCore3.1_Secutiry otra fuente para resolver _7_Authentication_

---

Título: "AspNetCore3"
Fecha: 2020-03-26T13: 23: 27 + 08: 00
proyecto: falsa

Serie de directorio de artículos

• directorio de origen AspNetCore3.1_Secutiry determinación _1_
• fuente AspNetCore3.1_Secutiry analizar procesos centrales _2_Authentication_
• AspNetCore3.1_Secutiry _3_Authentication_Cookies análisis sintáctico fuente
• fuente AspNetCore3.1_Secutiry análisis _4_Authentication_JwtBear
• fuente AspNetCore3.1_Secutiry análisis _5_Authentication_OAuth
• fuente AspNetCore3.1_Secutiry análisis _6_Authentication_OpenIdConnect
• AspNetCore3.1_Secutiry otra fuente para resolver _7_Authentication_
• AspNetCore3.1_Secutiry fuente de analizar los proyectos básicos _8_Authorization_
• AspNetCore3.1_Secutiry _9_Authorization_Policy análisis fuente

breve introducción

secutiry directorio de certificación, así como estos proyectos, que son en su mayoría los proveedores de servicios OAuth2.0 específica u otros usos menos arquitectura de autenticación, simple mirada, mirada.

• Microsoft.AspNetCore.Authentication.Certificate
• Microsoft.AspNetCore.Authentication.Facebook
• Microsoft.AspNetCore.Authentication.Google
• Microsoft.AspNetCore.Authentication.MicrosoftAccount
• Microsoft.AspNetCore.Authentication.Negotiate
• Microsoft.AspNetCore.Authentication.Twitter
• Microsoft.AspNetCore.Authentication.WsFederation

proveedores de servicios OAuth2.0

Facebook, Google, Cuenta Microsoft éstos se pueden clasificar como clase, son los proveedores de servicios OAuth2.0. uso más doméstico de QQ es, Weixin. Nos fijamos en el código de Facebook, los otros principios son similares, las diferencias hacen algunos ajustes de acuerdo a los diferentes fabricantes en él.

Twitter parece ser el protocolo utilizado OAuth1.0.

inyección de dependencia

clases de configuración: FacebookOptions, tipo de procesador: FacebookHandler

public static class FacebookAuthenticationOptionsExtensions
{
    public static AuthenticationBuilder AddFacebook(this AuthenticationBuilder builder)
        => builder.AddFacebook(FacebookDefaults.AuthenticationScheme, _ => { });

    public static AuthenticationBuilder AddFacebook(this AuthenticationBuilder builder, Action<FacebookOptions> configureOptions)
        => builder.AddFacebook(FacebookDefaults.AuthenticationScheme, configureOptions);

    public static AuthenticationBuilder AddFacebook(this AuthenticationBuilder builder, string authenticationScheme, Action<FacebookOptions> configureOptions)
        => builder.AddFacebook(authenticationScheme, FacebookDefaults.DisplayName, configureOptions);

    public static AuthenticationBuilder AddFacebook(this AuthenticationBuilder builder, string authenticationScheme, string displayName, Action<FacebookOptions> configureOptions)
        => builder.AddOAuth<FacebookOptions, FacebookHandler>(authenticationScheme, displayName, configureOptions);
}

clase de configuración - FacebookOptions

hereda de la clase de configuración de OAuthOptions, de acuerdo con el constructor Facebook hacen algún proceso de personalización, tales como el mapeo de la reclamación.

/// <summary>
/// Configuration options for <see cref="FacebookHandler"/>.
/// </summary>
public class FacebookOptions : OAuthOptions
{
    /// <summary>
    /// Initializes a new <see cref="FacebookOptions"/>.
    /// </summary>
    public FacebookOptions()
    {
        CallbackPath = new PathString("/signin-facebook");
        SendAppSecretProof = true;
        AuthorizationEndpoint = FacebookDefaults.AuthorizationEndpoint;
        TokenEndpoint = FacebookDefaults.TokenEndpoint;
        UserInformationEndpoint = FacebookDefaults.UserInformationEndpoint;
        Scope.Add("email");
        Fields.Add("name");
        Fields.Add("email");
        Fields.Add("first_name");
        Fields.Add("last_name");

        ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
        ClaimActions.MapJsonSubKey("urn:facebook:age_range_min", "age_range", "min");
        ClaimActions.MapJsonSubKey("urn:facebook:age_range_max", "age_range", "max");
        ClaimActions.MapJsonKey(ClaimTypes.DateOfBirth, "birthday");
        ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
        ClaimActions.MapJsonKey(ClaimTypes.Name, "name");
        ClaimActions.MapJsonKey(ClaimTypes.GivenName, "first_name");
        ClaimActions.MapJsonKey("urn:facebook:middle_name", "middle_name");
        ClaimActions.MapJsonKey(ClaimTypes.Surname, "last_name");
        ClaimActions.MapJsonKey(ClaimTypes.Gender, "gender");
        ClaimActions.MapJsonKey("urn:facebook:link", "link");
        ClaimActions.MapJsonSubKey("urn:facebook:location", "location", "name");
        ClaimActions.MapJsonKey(ClaimTypes.Locality, "locale");
        ClaimActions.MapJsonKey("urn:facebook:timezone", "timezone");
    }

    /// <summary>
    /// Check that the options are valid.  Should throw an exception if things are not ok.
    /// </summary>
    public override void Validate()
    {
        if (string.IsNullOrEmpty(AppId))
        {
            throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.Exception_OptionMustBeProvided, nameof(AppId)), nameof(AppId));
        }

        if (string.IsNullOrEmpty(AppSecret))
        {
            throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.Exception_OptionMustBeProvided, nameof(AppSecret)), nameof(AppSecret));
        }

        base.Validate();
    }

    // Facebook uses a non-standard term for this field.
    /// <summary>
    /// Gets or sets the Facebook-assigned appId.
    /// </summary>
    public string AppId
    {
        get { return ClientId; }
        set { ClientId = value; }
    }

    // Facebook uses a non-standard term for this field.
    /// <summary>
    /// Gets or sets the Facebook-assigned app secret.
    /// </summary>
    public string AppSecret
    {
        get { return ClientSecret; }
        set { ClientSecret = value; }
    }

    /// <summary>
    /// Gets or sets if the appsecret_proof should be generated and sent with Facebook API calls.
    /// This is enabled by default.
    /// </summary>
    public bool SendAppSecretProof { get; set; }

    /// <summary>
    /// The list of fields to retrieve from the UserInformationEndpoint.
    /// https://developers.facebook.com/docs/graph-api/reference/user
    /// </summary>
    public ICollection<string> Fields { get; } = new HashSet<string>();
}

tipo de procesador

Reescribir el método OAuthHanlder crear credenciales, el otro padre se utilizan para lograr.

public class FacebookHandler : OAuthHandler<FacebookOptions>
{
    public FacebookHandler(IOptionsMonitor<FacebookOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
        : base(options, logger, encoder, clock)
    { }

    protected override async Task<AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties, OAuthTokenResponse tokens)
    {
        var endpoint = QueryHelpers.AddQueryString(Options.UserInformationEndpoint, "access_token", tokens.AccessToken);
        if (Options.SendAppSecretProof)
        {
            endpoint = QueryHelpers.AddQueryString(endpoint, "appsecret_proof", GenerateAppSecretProof(tokens.AccessToken));
        }
        if (Options.Fields.Count > 0)
        {
            endpoint = QueryHelpers.AddQueryString(endpoint, "fields", string.Join(",", Options.Fields));
        }

        var response = await Backchannel.GetAsync(endpoint, Context.RequestAborted);
        if (!response.IsSuccessStatusCode)
        {
            throw new HttpRequestException($"An error occurred when retrieving Facebook user information ({response.StatusCode}). Please check if the authentication information is correct and the corresponding Facebook Graph API is enabled.");
        }

        using (var payload = JsonDocument.Parse(await response.Content.ReadAsStringAsync()))
        {
            var context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
            context.RunClaimActions();
            await Events.CreatingTicket(context);
            return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
        }
    }

    private string GenerateAppSecretProof(string accessToken)
    {
        using (var algorithm = new HMACSHA256(Encoding.ASCII.GetBytes(Options.AppSecret)))
        {
            var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
            var builder = new StringBuilder();
            for (int i = 0; i < hash.Length; i++)
            {
                builder.Append(hash[i].ToString("x2", CultureInfo.InvariantCulture));
            }
            return builder.ToString();
        }
    }

    protected override string FormatScope(IEnumerable<string> scopes)
    {
        // Facebook deviates from the OAuth spec here. They require comma separated instead of space separated.
        // https://developers.facebook.com/docs/reference/dialogs/oauth
        // http://tools.ietf.org/html/rfc6749#section-3.3
        return string.Join(",", scopes);
    }

    protected override string FormatScope()
        => base.FormatScope();
}

Microsoft.AspNetCore.Authentication.Certificate

Este proyecto se acaba de agregar 3.1, es hacer la verificación del certificado, lo específico no ofreció más detalles, no entienden, estamos interesados ​​en ver la documentación del hardware gigante

https://docs.microsoft.com/zh-cn/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1

Microsoft.AspNetCore.Authentication.Negotiate

Este es también un nuevo proyecto, hacer comprobar el Windows, los siguientes documentos

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio

Microsoft.AspNetCore.Authentication.WsFederation

La autenticación de Windows Azure Active Directory

https://docs.microsoft.com/zh-cn/aspnet/core/security/authentication/ws-federation?view=aspnetcore-3.1