我正在尝试根据组织的请求实现多重身份验证。在startup.auth.cs中,我有以下内容:
foreach (OrganizationModel org in orgList)
{
if (org.AuthenticationType != "Azure")
{
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = org.AuthenticationType,
Caption = org.Caption,
BackchannelCertificateValidator = null,
MetadataAddress = org.MetadataUrl,
Wtrealm = org.Realm,
Notifications = new WsFederationAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
},
TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false },
};
app.UseWsFederationAuthentication(adfs);
}
else
{
var azure = new WsFederationAuthenticationOptions
{
AuthenticationType = org.AuthenticationType,
Caption = org.Caption,
BackchannelCertificateValidator = null,
MetadataAddress = org.MetadataUrl,
Wtrealm = org.Realm,
Notifications = new WsFederationAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("Home/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
},
TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false },
};
app.UseWsFederationAuthentication(azure);
}
}
我为登录填充各种身份验证提供程序。当我点击 ADFS 进行身份验证时,我能够成功认证、获得声明,一切正常。但是,当我尝试针对 Azure AD 进行身份验证时,我会收到“ID 4037”错误,“无法解析用于验证签名的密钥”。 注:如果我只尝试 Azure AD(注释掉 ADFS 部分),它就能正常工作。Orglist 从数据库中填充,并包含元数据 URL、域等信息。出于开发目的,我已将 https://localhost:44303 配置为两者的领域。
我的登录后回调方法是:
[AllowAnonymous]
public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
{
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
if (loginInfo == null)
{
return RedirectToAction("Login");
}
// Sign in the user with this external login provider if the user already has a login
var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false);
switch (result)
{
case SignInStatus.Success:
return RedirectToLocal(returnUrl);
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = false });
case SignInStatus.Failure:
default:
// If the user does not have an account, then prompt the user to create an account
ViewBag.ReturnUrl = returnUrl;
ViewBag.LoginProvider = loginInfo.Login.LoginProvider;
return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = loginInfo.DefaultUserName});
}
}
请指导我哪里做错了