ASP.NET Core 中的 Facebook、Google 及外部提供者驗證Facebook, Google, and external provider authentication in ASP.NET Core

作者:Valeriy NovytskyyRick AndersonBy Valeriy Novytskyy and Rick Anderson

本教學課程會示範如何建置 ASP.NET Core 2.2 應用程式,讓使用者可使用 OAuth 2.0 以外部驗證提供者提供的認證登入。This tutorial demonstrates how to build an ASP.NET Core 2.2 app that enables users to sign in using OAuth 2.0 with credentials from external authentication providers.

下列各節涵蓋 FacebookTwitterGoogleMicrosoft 的提供者。Facebook, Twitter, Google, and Microsoft providers are covered in the following sections. 您可透過 AspNet.Security.OAuth.ProvidersAspNet.Security.OpenId.Providers 這類協力廠商套件,取得其他提供者。Other providers are available in third-party packages such as AspNet.Security.OAuth.Providers and AspNet.Security.OpenId.Providers.

Facebook、Twitter、Google+ 和 Windows 的社交媒體圖示

讓使用者透過現有認證登入:Enabling users to sign in with their existing credentials:

  • 對使用者而言十分方便。Is convenient for the users.
  • 可將複雜的登入程序管理作業轉移至協力廠商。Shifts many of the complexities of managing the sign-in process onto a third party.

如需社交登入如何帶動流量和客戶轉換的範例,請參閱 FacebookTwitter 的案例研究。For examples of how social logins can drive traffic and customer conversions, see case studies by Facebook and Twitter.

建立新的 ASP.NET Core 專案Create a New ASP.NET Core Project

  • 建立新的專案。Create a new project.
  • 選取 [ASP.NET Core Web 應用程式] 和 [下一步]。Select ASP.NET Core Web Application and Next.
  • 提供專案名稱並確認或變更位置Provide a Project name and confirm or change the Location. 選取 [建立]。Select Create.
  • 選取下拉式清單中的 [ASP.NET Core 2.2]。Select ASP.NET Core 2.2 in the drop down. 選取範本清單中的 [Web 應用程式]。Select Web Application in the template list.
  • 選取 [驗證] 下的 [變更],並將驗證設定為 [個別使用者帳戶]。Under Authentication, select Change and set the authentication to Individual User Accounts. 選取 [確定]。Select OK.
  • 在 [建立新的 ASP.NET Core Web 應用程式] 視窗中選取 [建立]。In the Create a new ASP.NET Core Web Application window, select Create.

套用移轉Apply migrations

  • 執行應用程式並選取 [登錄] 連結。Run the app and select the Register link.
  • 輸入新帳戶的電子郵件和密碼,然後選取 [註冊]。Enter the email and password for the new account, and then select Register.
  • 遵循指示以套用移轉。Follow the instructions to apply migrations.

使用 Proxy 或負載平衡器轉送要求資訊Forward request information with a proxy or load balancer

如果將應用程式部署於 Proxy 伺服器或負載平衡器後方,可能就會在要求標頭中將一些原始要求資訊轉送到應用程式。If the app is deployed behind a proxy server or load balancer, some of the original request information might be forwarded to the app in request headers. 此資訊通常會包括安全要求配置 (https)、主機和用戶端 IP 位址。This information usually includes the secure request scheme (https), host, and client IP address. 應用程式不會自動讀取這些要求標頭來探索並使用原始要求資訊。Apps don't automatically read these request headers to discover and use the original request information.

此配置可用於產生連結,其會對使用外部提供者的驗證流程產生影響。The scheme is used in link generation that affects the authentication flow with external providers. 遺失安全配置 (https) 會導致應用程式產生不正確且不安全的重新導向 URL。Losing the secure scheme (https) results in the app generating incorrect insecure redirect URLs.

使用轉送標頭中介軟體,使應用程式能夠使用原始要求資訊來處理要求。Use Forwarded Headers Middleware to make the original request information available to the app for request processing.

如需詳細資訊,請參閱 設定 ASP.NET Core 以與 Proxy 伺服器和負載平衡器搭配運作For more information, see 設定 ASP.NET Core 以與 Proxy 伺服器和負載平衡器搭配運作.

使用 SecretManager 來儲存登入提供者指派的權杖Use SecretManager to store tokens assigned by login providers

社交登入提供者會在註冊程序期間指派應用程式識別碼應用程式密碼權杖。Social login providers assign Application Id and Application Secret tokens during the registration process. 確切權杖名稱會依提供者而有所不同。The exact token names vary by provider. 這些權杖代表您的應用程式用來存取其 API 的認證。These tokens represent the credentials your app uses to access their API. 這些權杖會組成「祕密」,在祕密管理員的協助下連結到您的應用程式設定。The tokens constitute the "secrets" that can be linked to your app configuration with the help of Secret Manager. 相較於在設定檔 (例如 appsettings.json) 中儲存權杖,祕密管理員是較安全的替代方案。Secret Manager is a more secure alternative to storing the tokens in a configuration file, such as appsettings.json.

重要

祕密管理員僅供用於開發用途。Secret Manager is for development purposes only. 您可以透過 Azure Key Vault 設定提供者儲存及保護 Azure 測試與生產祕密。You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.

請遵循 Safe storage of app secrets in development in ASP.NET Core (在 ASP.NET Core 開發過程中安全地儲存應用程式祕密) 主題中的步驟,儲存下方各個登入提供者指派的權杖。Follow the steps in Safe storage of app secrets in development in ASP.NET Core topic to store tokens assigned by each login provider below.

設定應用程式所需的登入提供者Setup login providers required by your application

若要將應用程式設定為使用相應的提供者,請使用下列主題:Use the following topics to configure your application to use the respective providers:

多個驗證提供者Multiple authentication providers

當應用程式需要多個提供者時,請在 AddAuthentication 之後鏈結提供者擴充方法:When the app requires multiple providers, chain the provider extension methods behind AddAuthentication:

services.AddAuthentication()
    .AddMicrosoftAccount(microsoftOptions => { ... })
    .AddGoogle(googleOptions => { ... })
    .AddTwitter(twitterOptions => { ... })
    .AddFacebook(facebookOptions => { ... });

選擇性地設定密碼Optionally set password

當您使用外部登入提供者註冊時,您並未向應用程式註冊密碼。When you register with an external login provider, you don't have a password registered with the app. 這樣可以減輕您建立網站密碼與記住密碼的壓力,但這也會讓您依賴外部登入提供者。This alleviates you from creating and remembering a password for the site, but it also makes you dependent on the external login provider. 如果無法使用外部登入提供者,您就無法登入網站。If the external login provider is unavailable, you won't be able to sign in to the web site.

若要建立密碼,並使用您在外部提供者登入程序期間所設的電子郵件進行登入:To create a password and sign in using your email that you set during the sign in process with external providers:

  • 選取右上角的 [Hello <電子郵件別名>] 連結以瀏覽至 [管理] 檢視。Select the Hello <email alias> link at the top-right corner to navigate to the Manage view.

Web 應用程式的 [管理] 檢視

  • 選取 [建立]Select Create

[設定密碼] 頁面

  • 設定有效的密碼,以便使用此密碼與電子郵件進行登入。Set a valid password and you can use this to sign in with your email.

後續步驟Next steps

  • 本文介紹了外部驗證,並說明將外部登入新增至 ASP.NET Core 應用程式所需的必要條件。This article introduced external authentication and explained the prerequisites required to add external logins to your ASP.NET Core app.

  • 請參考提供者的特定頁面,以設定應用程式所需的提供者登入項目。Reference provider-specific pages to configure logins for the providers required by your app.

  • 您想要保存有關使用者與其存取和重新整理權杖的額外資料。You may want to persist additional data about the user and their access and refresh tokens. 如需詳細資訊,請參閱 在 ASP.NET Core 中保存外部提供者的其他宣告和權杖For more information, see 在 ASP.NET Core 中保存外部提供者的其他宣告和權杖.