Security » Authorization » 通过映射限制身份

Limiting identity by scheme¶ 通过映射限制身份（这部分有好几个概念还不清楚，翻译的有问题）

36 of 39 people found this helpful

In some scenarios, such as Single Page Applications it is possible to end up with multiple authentication methods. For example, your application may use cookie-based authentication to log in and bearer authentication for JavaScript requests. In some cases you may have multiple instances of an authentication middleware. For example, two cookie middlewares where one contains a basic identity and one is created when a multi-factor authentication has triggered because the user requested an operation that requires extra security.

在某些场景下，例如Single Page Applications，有可能以多重授权的方法结束。例如，你的应用可以使用基于cookis的授权来实现登陆，并且通过JavaScript请求执行授权。在某些情况下，一个授权中间件客具有多个实现。例如，两个cookis中间件，其中一个包含了基本的身份，当一个多重授权触发后创建了另外一个，因为用户请求需要额外的安全操作。

Authentication schemes are named when authentication middleware is configured during authentication, for example

当身份认证期间配置了身份认证中间件时，就命名了身份认证映射。例如：

app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    AuthenticationScheme = "Cookie",
    LoginPath = new PathString("/Account/Unauthorized/"),
    AccessDeniedPath = new PathString("/Account/Forbidden/"),
    AutomaticAuthenticate = false
});

app.UseBearerAuthentication(options =>
{
    options.AuthenticationScheme = "Bearer";
    options.AutomaticAuthenticate = false;
});

 

In this configuration two authentication middlewares have been added, one for cookies and one for bearer.

在该配置中增加了两个认证中间件，一个用于coolies，另一个用于搬运？

Note 注意

When adding multiple authentication middleware you should ensure that no middleware is configured to run automatically. You do this by setting the AutomaticAuthenticate options property to false. If you fail to do this filtering by scheme will not work.

当增加多重身份认证中间件时，你应当确保自动执行时没有配置中间件。通过将设置AutomaticAuthenticate 选项特性为false来实现该目的。如果你没有通过映射设置过滤器将不会工作。

Selecting the scheme with the Authorize attribute¶

As no authentication middleware is configured to automatically run and create an identity you must, at the point of authorization choose which middleware will be used. The simplest way to select the middleware you wish to authorize with is to use the ActiveAuthenticationSchemes property. This property accepts a comma delimited list of Authentication Schemes to use. For example;

[Authorize(ActiveAuthenticationSchemes = "Cookie,Bearer")]
public class MixedController : Controller

In the example above both the cookie and bearer middlewares will run and have a chance to create and append an identity for the current user. By specifying a single scheme only the specified middleware will run;

[Authorize(ActiveAuthenticationSchemes = "Bearer")]

In this case only the middleware with the Bearer scheme would run, and any cookie based identities would be ignored.

Selecting the scheme with policies¶

If you prefer to specify the desired schemes in policy you can set the AuthenticationSchemes collection when adding your policy.

options.AddPolicy("Over18", policy =>
{
    policy.AuthenticationSchemes.Add("Bearer");
    policy.RequireAuthenticatedUser();
    policy.Requirements.Add(new Over18Requirement());
});

In this example the Over18 policy will only run against the identity created by the Bearer middleware.

 

原文链接