Windows Azure Role Based authentication (ACS)

问题

I have a Asp.net mvc4 project running on Windows Azure Cloud already. But so far it hasn't any user management thing. any one can log in(I have a windows live single sign on). But now I need to do the simplest role based authentication.

1.I want to register user roles(administrator,user,content manager)/it can be done manually. 2.I need to authenticate users based on roles when they log in .

Can any one give me a hint, or link to a clear tutorial or suggest me any idea?

回答1:

The simplest is actually to add "role" claims in the token issued by ACS. Since you said you are ok in doing this manually for now, then you'd use the ACS portal to create these rules.

In your app, you'd do the usual thing, like decorate the actions with the "Authorize" attribute, including roles:

[Authorize(Roles="Administrator")]
public ActionResult Index()
{
  var b = User.IsInRole("Manager");
...
}

As long as you use "Role" claim types, everything works. (This can also be customized, but it works out of the box this way).

The only challenge you will have is due to LiveID. LiveID gives you just a unique identifier. You need a way of mapping that identifier with a know user (e.g. e-mail or name). This usually requires a two step process. You first authenticate and get the unique id, then you ask the user for its information and validate it (by sending an e-mail for example).

Using any of the other identity providers, you don't have this problem, because all of them give you an e-mail and a name.

Writing the above mentioned rules is as easy as:

email: joy@mail.com -> role:administrator
email: someone@mail.com -> role: manager ...

If you have a larger number of users or a larger number of rules then the portal is often no longer practical and you will need something else (e.g. use the API from your app, use scripting, use a tool like auth10, etc.)

回答2:

The way I solved it for my project was to add a ClaimsAuthenticationManager and add the user's roles to the identity there.

namespace Claims
{
  public class RoleClaimsAuthenticationManager : ClaimsAuthenticationManager

    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated)
        {
            var identity = (ClaimsIdentity)incomingPrincipal.Identity;
            var roles = getRolesForIdentity(identity); //Get the roles for your identity here
            foreach (var r in roles)
            {
                 identity.AddClaim(new Claim(ClaimTypes.Role, r.Name));
            }
        }

        return base.Authenticate(resourceName, incomingPrincipal);
    }
}

I then hook it up in the config in the system.identityModel -> identityConfiguration section

<claimsAuthenticationManager type="Claims.RoleClaimsAuthenticationManager, Claims" />

回答3:

As you might have noticed ACS takes care of authentication and not authorization, you'll need to handle that yourself.

The easiest thing to do is to create a 'profile' in your application each time a new user connects. When creating the profile for a specific user you'll need to store the identity provider and the name of that user together with the profile. Storing this info will allow you to fetch the profile for that user the next time he connects (you'll get this info from the claims, but this depends on how you configured ACS).

For a fully working example you should take a look at the source of the BlobShare application (which uses authentication and authorization).