Identity Server 4注册后自动登录

Question

我希望用户在注册到MVC应用程序后自动登录(现在不需要电子邮件验证)，我遵循了IdSrv3的这个示例，并编辑了一些部分：

http://benfoster.io/blog/identity-server-post-registration-sign-in

下面是我的设置：

MVC：

public class AuthController : Controller
{
    [HttpGet]
    [AllowAnonymous]
    public async Task LogIn()
    {
        var properties = new AuthenticationProperties
        {
            RedirectUri = Url.Action("index", "home", HttpContext.Request.GetUri().Scheme)
        };

       await HttpContext.Authentication.ChallengeAsync(properties);
    }

    [HttpGet]
    [AllowAnonymous]
    public IActionResult Register()
    {
        var returnUrl = $"http://localhost:5002/auth/login";
        return Redirect($"http://localhost:5000/Account/Register?returnUrl={returnUrl}");
    }
}

使用ASp.Net核心身份的身份服务器4

[Authorize]
    public class AccountController : Controller
    {
       //
        // GET: /Account/Register
        [HttpGet]
        [AllowAnonymous]
        public IActionResult Register(string returnUrl = null)
        {
           ViewData["ReturnUrl"] = returnUrl;
           return View();
        }

    //
    // POST: /Account/Register
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
    {
        ViewData["ReturnUrl"] = returnUrl;
        if (ModelState.IsValid)
        {
            var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
            var result = await _userManager.CreateAsync(user, model.Password);
            if (result.Succeeded)
            {
                var otac = user.GenerateOTAC(TimeSpan.FromMinutes(1));
                await _userManager.UpdateAsync(user);
                await _signInManager.SignInAsync(user, isPersistent: false);
                _logger.LogInformation(3, "User created a new account with password.");
                if (string.IsNullOrEmpty(returnUrl))
                {
                    return RedirectToAction(nameof(HomeController.Index), "Home");
                }
                else
                {
                    return Redirect(returnUrl);
                }
            }
            AddErrors(result);
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }
}

正如示例所示，我无法实现OTAC握手，因为在IdSrv 4中不再有用户服务。

该场景的工作原理如下：

1-用户点击MVC app中的“注册”，重定向到IdSrv帐户->注册，传递MVC Auth->作为返回URI登录。2-用户在IdSrv中完成注册后，执行另一个重定向以返回到MVC Auth->Login。3- MVC Auth->Login创建一个质询，由于用户已经在注册过程中使用cookie登录，因此身份验证cookie被合并(根据IdSrv日志)，并且没有出现登录屏幕，现在用户已经登录并登录到MVC应用程序。

这个设置有什么安全漏洞吗?有没有办法在IdSrv4中实现OTAC握手？

谢谢,

Answer 1

在你的情况下，也许这是可行的

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null)
{
    ViewData["ReturnUrl"] = returnUrl;
    if (ModelState.IsValid)
    {
        var user = new ApplicationUser { UserName = model.Email, Email = model.Email 
        var result = await _userManager.CreateAsync(user, model.Password);
        if (result.Succeeded)
        {
            await _signInManager.SignInAsync(user, isPersistent: false);
            return LocalRedirect(returnUrl);
        }
        AddErrors(result);
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}