ASP.NET Core 中的 Facebook、Google 和外部提供程序身份验证Facebook, Google, and external provider authentication in ASP.NET Core

作者:Valeriy NovytskyyRick AndersonBy Valeriy Novytskyy and Rick Anderson

本教程演示如何生成 ASP.NET Core 2.2 应用,该应用可让用户使用外部身份验证提供程序提供的凭据通过 OAuth 2.0 登录。This tutorial demonstrates how to build an ASP.NET Core 2.2 app that enables users to log in using OAuth 2.0 with credentials from external authentication providers.

以下几节中介绍了 FacebookTwitterGoogleMicrosoft 提供程序。Facebook, Twitter, Google, and Microsoft providers are covered in the following sections. 第三方程序包中提供了其他提供程序,例如 AspNet.Security.OAuth.ProvidersAspNet.Security.OpenId.ProvidersOther providers are available in third-party packages such as AspNet.Security.OAuth.Providers and AspNet.Security.OpenId.Providers.

Facebook、Twitter、Google plus 和 Windows 的社交媒体图标

使用户能够使用其当前凭据登录对用户来说十分便利,并且这样做可以将管理登录进程许多复杂操作转移给第三方。Enabling users to sign in with their existing credentials is convenient for the users and shifts many of the complexities of managing the sign-in process onto a third party. 有关社交登录如何驱动流量和客户转换的示例,请参阅 FacebookTwitter 的案例分析。For examples of how social logins can drive traffic and customer conversions, see case studies by Facebook and Twitter.

创建新的 ASP.NET Core 项目Create a New ASP.NET Core Project

  • 在 Visual Studio 2017 中,从“开始”页创建新项目,或通过“文件”>“新建”>“项目”进行创建 > > 。In Visual Studio 2017, create a new project from the Start Page, or via File > New > Project.

  • 选择“Visual C#” > “.NET Core”分类中提供的“ASP.NET Core Web 应用程序”模板:Select the ASP.NET Core Web Application template available in the Visual C# > .NET Core category:

  • 选择“更改身份验证”并设置针对“单个用户帐户”的身份验证。Select Change Authentication and set authentication to Individual User Accounts.

应用迁移Apply migrations

  • 运行应用并选择“注册”链接。Run the app and select the Register link.
  • 输入新帐户的电子邮件地址和密码,再选择“注册”。Enter the email and password for the new account, and then select Register.
  • 按照说明操作来应用迁移。Follow the instructions to apply migrations.

转发请求使用代理的信息或负载均衡器Forward request information with a proxy or load balancer

如果代理服务器或负载均衡器后面部署应用,原始请求信息的一些可能会转发到请求标头中的应用程序。If the app is deployed behind a proxy server or load balancer, some of the original request information might be forwarded to the app in request headers. 此信息通常包括安全请求方案 (https),主机和客户端 IP 地址。This information usually includes the secure request scheme (https), host, and client IP address. 应用程序不会自动读取这些请求标头,以发现和使用原始请求信息。Apps don't automatically read these request headers to discover and use the original request information.

在生成链接会影响与外部提供商的身份验证流中使用方案。The scheme is used in link generation that affects the authentication flow with external providers. 丢失的安全方案 (https) 生成不正确的不安全重定向 Url,应用程序。Losing the secure scheme (https) results in the app generating incorrect insecure redirect URLs.

使用转发头中间件可用于处理请求的应用提供的原始请求信息。Use Forwarded Headers Middleware to make the original request information available to the app for request processing.

有关详细信息,请参阅 配置 ASP.NET Core 以使用代理服务器和负载均衡器For more information, see 配置 ASP.NET Core 以使用代理服务器和负载均衡器.

使用 SecretManager 存储登录提供程序分配的令牌Use SecretManager to store tokens assigned by login providers

社交登录提供程序在注册过程中分配“应用程序 ID”和“应用程序机密”。Social login providers assign Application Id and Application Secret tokens during the registration process. 确切的令牌名称因提供程序而异。The exact token names vary by provider. 这些令牌代表应用用来访问其 API 的凭据。These tokens represent the credentials your app uses to access their API. 令牌构成“机密”,可利用机密管理器将其链接到应用配置。The tokens constitute the "secrets" that can be linked to your app configuration with the help of Secret Manager. 机密管理器是在配置文件(例如 appsettings.json)中存储令牌更安全替代方法。Secret Manager is a more secure alternative to storing the tokens in a configuration file, such as appsettings.json.


机密管理器仅用于开发目的。Secret Manager is for development purposes only. 可使用 Azure Key Vault 配置提供程序存储和保护 Azure 测试和生产机密。You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.

按照在 ASP.NET Core 中进行开发期间安全存储应用机密主题中的步骤进行操作,以便存储以下每个登录提供程序分配的令牌。Follow the steps in Safe storage of app secrets in development in ASP.NET Core topic to store tokens assigned by each login provider below.

应用程序所需的安装登录提供程序Setup login providers required by your application

使用以下主题配置应用程序,以使用相应的提供程序:Use the following topics to configure your application to use the respective providers:

多个身份验证提供程序Multiple authentication providers

如果应用需要多个提供程序,请在 AddAuthentication 后面链接提供程序扩展方法:When the app requires multiple providers, chain the provider extension methods behind AddAuthentication:

    .AddMicrosoftAccount(microsoftOptions => { ... })
    .AddGoogle(googleOptions => { ... })
    .AddTwitter(twitterOptions => { ... })
    .AddFacebook(facebookOptions => { ... });

选择性地设置密码Optionally set password

使用外部登录提供程序注册,即表明还没有向应用注册密码。When you register with an external login provider, you don't have a password registered with the app. 这可让用户无需创建和记住站点密码,但也会使用户依赖外部登录提供程序。This alleviates you from creating and remembering a password for the site, but it also makes you dependent on the external login provider. 如果外部登录提供程序不可用,则无法登录网站。If the external login provider is unavailable, you won't be able to log in to the web site.

使用外部提供程序在登录过程中设置的电子邮箱创建密码和登录:To create a password and sign in using your email that you set during the sign in process with external providers:

  • 选择右上角的“Hello <电子邮件别名>”链接,导航到“管理”视图。Select the Hello <email alias> link at the top right corner to navigate to the Manage view.

Web 应用程序“管理”视图

  • 选择“创建”Select Create


  • 设置一个有效密码,可以用此密码和邮箱登录。Set a valid password and you can use this to sign in with your email.

后续步骤Next steps

  • 本文介绍了外部身份验证,并说明了向 ASP.NET Core 应用添加外部登录所需的先决条件。This article introduced external authentication and explained the prerequisites required to add external logins to your ASP.NET Core app.

  • 引用特定于提供程序的页,为应用所需的提供程序配置登录。Reference provider-specific pages to configure logins for the providers required by your app.

  • 可能需要保留有关用户及其访问和刷新令牌的其他数据。You may want to persist additional data about the user and their access and refresh tokens. 有关更多信息,请参见保留其他声明和 ASP.NET Core 中的外部提供程序颁发令牌For more information, see 保留其他声明和 ASP.NET Core 中的外部提供程序颁发令牌.