使用OAuth和ADFS进行ASP.Net身份验证(取决于路径)

应用程序需要在以下路径上进行身份验证:

/admin     - ADFS
/edx/links - ADFS
/api       - OAuth

Api由应用程序使用,应该通过OAuth而不是ADFS进行身份验证,但应用程序将被重定向到非heless的ADFS服务器。

public void Configuration(IAppBuilder app)
    {
        app.UseOwinExceptionLogger();
        app.SetLoggerFactory(new OwinLoggerFactory());

        var config = new HttpConfiguration { DependencyResolver = new StructureMapResolver(Container) };
        var settings = Container.GetInstance<ISettings>();

        ConfigureOAuth(app, settings);
        app.Map("/admin", inner => ConfigureAuth(inner, settings));
        app.Map("/edx/links", inner => ConfigureAuth(inner, settings));

        WebApiConfig.Register(config);
        app.UseCors(CorsOptions.AllowAll);
        app.UseWebApi(config);
    }

    private static void ConfigureOAuth(IAppBuilder app, ISettings settings)
    {
        var oAuthServerOptions = new OAuthAuthorizationServerOptions()
        {
            AllowInsecureHttp = true,
            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
            Provider = new SimpleAuthorizationServerProvider(),
            RefreshTokenProvider = new SimpleRefreshTokenProvider(),
        };

        // Token Generation
        app.UseOAuthAuthorizationServer(oAuthServerOptions);

        app.Use(async (context, next) => { await next.Invoke(); });
    }

    private void ConfigureAuth(IAppBuilder app, ISettings settings)
    {
        // Work-around to fix Katana issue 197: https://katanaproject.codeplex.com/workitem/197
        // https://github.com/KentorIT/owin-cookie-saver
        // app.UseKentorOwinCookieSaver();
        app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType,
            CookieManager = new SystemWebCookieManager()
        });

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = settings.WsFedRealm,
                MetadataAddress = settings.WsFedMetadataUrl,
                TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = ClaimsExtensions.WurNameIdentifier,
                    SaveSigninToken = true
                },
                Notifications = new WsFederationAuthenticationNotifications
                {
                    MessageReceived = context =>
                    {
                        Log.Info($"Message received {context.ProtocolMessage}");
                        return Task.FromResult(0);
                    },
                    RedirectToIdentityProvider = context =>
                    {
                        Log.Info($"Redirect to identity provider {context?.Request?.Uri?.AbsolutePath}");
                        return Task.FromResult(0);
                    },
                    SecurityTokenValidated = context =>
                    {
                        Log.Info("Security token validated");
                        return Task.FromResult(0);
                    },
                    SecurityTokenReceived = context =>
                    {
                        Log.Info($"SecurityTokenReceived {context?.Response?.ReasonPhrase}");
                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = context =>
                    {
                        context.HandleResponse();
                        context.Response.Redirect("~/Error?message=" + context.Exception.Message);
                        return Task.FromResult(0);
                    }
                }
            });

        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
    }