ASP.NET Core 中的 Facebook、Google 和外部提供程序身份验证Facebook, Google, and external provider authentication in ASP.NET Core

作者:Valeriy NovytskyyRick AndersonBy Valeriy Novytskyy and Rick Anderson

本教程演示如何生成 ASP.NET Core 2.2 应用,该应用可让用户使用外部身份验证提供程序提供的凭据通过 OAuth 2.0 登录。This tutorial demonstrates how to build an ASP.NET Core 2.2 app that enables users to sign in using OAuth 2.0 with credentials from external authentication providers.

以下几节中介绍了 FacebookTwitterGoogleMicrosoft 提供程序。Facebook, Twitter, Google, and Microsoft providers are covered in the following sections. 第三方程序包中提供了其他提供程序,例如 AspNet.Security.OAuth.ProvidersAspNet.Security.OpenId.ProvidersOther providers are available in third-party packages such as AspNet.Security.OAuth.Providers and AspNet.Security.OpenId.Providers.

Facebook、Twitter、Google plus 和 Windows 的社交媒体图标

让用户使用其现有凭据登录的好处:Enabling users to sign in with their existing credentials:

  • 方便用户操作。Is convenient for the users.
  • 将管理登录流程的许多复杂性转移到了第三方。Shifts many of the complexities of managing the sign-in process onto a third party.

有关社交登录如何驱动流量和客户转换的示例,请参阅 FacebookTwitter 的案例分析。For examples of how social logins can drive traffic and customer conversions, see case studies by Facebook and Twitter.

创建新的 ASP.NET Core 项目Create a New ASP.NET Core Project

  • 创建新项目。Create a new project.
  • 依次选择“ASP.NET Core Web 应用程序”和“下一步” 。Select ASP.NET Core Web Application and Next.
  • 提供项目名称,再确认或更改位置 。Provide a Project name and confirm or change the Location. 选择“创建” 。Select Create.
  • 在下拉列表中选择 ASP.NET Core 2.2 。Select ASP.NET Core 2.2 in the drop down. 在模板列表中选择“Web 应用程序” 。Select Web Application in the template list.
  • 在“身份验证”下,选择“更改”再设置针对单个用户帐户的身份验证 。Under Authentication, select Change and set the authentication to Individual User Accounts. 选择“确定” 。Select OK.
  • 在“创建新的 ASP.NET Core Web 应用程序”窗口中,选择“创建” 。In the Create a new ASP.NET Core Web Application window, select Create.

应用迁移Apply migrations

  • 运行应用并选择“注册”链接 。Run the app and select the Register link.
  • 输入新帐户的电子邮件地址和密码,再选择“注册” 。Enter the email and password for the new account, and then select Register.
  • 按照说明操作来应用迁移。Follow the instructions to apply migrations.

使用代理或负载均衡器转发请求信息Forward request information with a proxy or load balancer

如果应用部署在代理服务器或负载均衡器后面,则可能会将某些原始请求信息转发到请求标头中的应用。If the app is deployed behind a proxy server or load balancer, some of the original request information might be forwarded to the app in request headers. 此信息通常包括安全请求方案 (https)、主机和客户端 IP 地址。This information usually includes the secure request scheme (https), host, and client IP address. 应用不会自动读取这些请求标头以发现和使用原始请求信息。Apps don't automatically read these request headers to discover and use the original request information.

方案用于通过外部提供程序影响身份验证流的链接生成。The scheme is used in link generation that affects the authentication flow with external providers. 丢失安全方案 (https) 会导致应用生成不正确且不安全的重定向 URL。Losing the secure scheme (https) results in the app generating incorrect insecure redirect URLs.

使用转发标头中间件以使应用可以使用原始请求信息来进行请求处理。Use Forwarded Headers Middleware to make the original request information available to the app for request processing.

有关详细信息,请参阅 配置 ASP.NET Core 以使用代理服务器和负载均衡器For more information, see 配置 ASP.NET Core 以使用代理服务器和负载均衡器.

使用 SecretManager 存储登录提供程序分配的令牌Use SecretManager to store tokens assigned by login providers

社交登录提供程序在注册过程中分配“应用程序 ID” 和“应用程序机密” 。Social login providers assign Application Id and Application Secret tokens during the registration process. 确切的令牌名称因提供程序而异。The exact token names vary by provider. 这些令牌代表应用用来访问其 API 的凭据。These tokens represent the credentials your app uses to access their API. 令牌构成“机密”,可利用机密管理器将其链接到应用配置。The tokens constitute the "secrets" that can be linked to your app configuration with the help of Secret Manager. 机密管理器是在配置文件(例如 appsettings.json )中存储令牌更安全替代方法。Secret Manager is a more secure alternative to storing the tokens in a configuration file, such as appsettings.json.

重要

机密管理器仅用于开发目的。Secret Manager is for development purposes only. 可使用 Azure Key Vault 配置提供程序存储和保护 Azure 测试和生产机密。You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.

按照在 ASP.NET Core 中进行开发期间安全存储应用机密主题中的步骤进行操作,以便存储以下每个登录提供程序分配的令牌。Follow the steps in Safe storage of app secrets in development in ASP.NET Core topic to store tokens assigned by each login provider below.

应用程序所需的安装登录提供程序Setup login providers required by your application

使用以下主题配置应用程序,以使用相应的提供程序:Use the following topics to configure your application to use the respective providers:

多个身份验证提供程序Multiple authentication providers

如果应用需要多个提供程序,请在 AddAuthentication 后面链接提供程序扩展方法:When the app requires multiple providers, chain the provider extension methods behind AddAuthentication:

services.AddAuthentication()
    .AddMicrosoftAccount(microsoftOptions => { ... })
    .AddGoogle(googleOptions => { ... })
    .AddTwitter(twitterOptions => { ... })
    .AddFacebook(facebookOptions => { ... });

选择性地设置密码Optionally set password

使用外部登录提供程序注册,即表明还没有向应用注册密码。When you register with an external login provider, you don't have a password registered with the app. 这可让用户无需创建和记住站点密码,但也会使用户依赖外部登录提供程序。This alleviates you from creating and remembering a password for the site, but it also makes you dependent on the external login provider. 如果外部登录提供程序不可用,则无法登录网站。If the external login provider is unavailable, you won't be able to sign in to the web site.

使用外部提供程序在登录过程中设置的电子邮箱创建密码和登录:To create a password and sign in using your email that you set during the sign in process with external providers:

  • 选择右上角的“Hello <电子邮件别名>”链接,导航到“管理”视图 。Select the Hello <email alias> link at the top-right corner to navigate to the Manage view.

Web 应用程序“管理”视图

  • 选择“创建” Select Create

“设置密码”页

  • 设置一个有效密码,可以用此密码和邮箱登录。Set a valid password and you can use this to sign in with your email.

后续步骤Next steps

  • 本文介绍了外部身份验证,并说明了向 ASP.NET Core 应用添加外部登录所需的先决条件。This article introduced external authentication and explained the prerequisites required to add external logins to your ASP.NET Core app.

  • 引用特定于提供程序的页,为应用所需的提供程序配置登录。Reference provider-specific pages to configure logins for the providers required by your app.

  • 可能需要保留有关用户及其访问和刷新令牌的其他数据。You may want to persist additional data about the user and their access and refresh tokens. 有关详细信息,请参阅 在 ASP.NET Core 中保存外部提供程序的其他声明和令牌For more information, see 在 ASP.NET Core 中保存外部提供程序的其他声明和令牌.