用于登录用户的 Web 应用:登录和注销Web app that signs in users: Sign-in and sign-out

了解如何在可将用户登录的 Web 应用的代码中添加登录。Learn how to add sign-in to the code for your web app that signs in users. 然后了解如何让用户注销。Then, learn how to let them sign out.

登录Sign-in

登录由两个部分组成:Sign-in consists of two parts:

  • HTML 页中的登录按钮The sign-in button on the HTML page
  • 控制器 code-behind 中的登录操作The sign-in action in the code-behind in the controller

登录按钮Sign-in button

在 ASP.NET Core 中,对于 Microsoft 标识平台应用程序,“登录”按钮在 Views\Shared\_LoginPartial.cshtml(适用于 MVC 应用)或 Pages\Shared\_LoginPartial.cshtm(适用于 Razor 应用)中公开。In ASP.NET Core, for Microsoft identity platform applications, the Sign in button is exposed in Views\Shared\_LoginPartial.cshtml (for an MVC app) or Pages\Shared\_LoginPartial.cshtm (for a Razor app). 仅当用户未经过身份验证时才会显示此按钮。It's displayed only when the user isn't authenticated. 即,仅当用户尚未登录或者已注销时才显示。相反,当用户已登录时,将显示“注销”按钮。That is, it's displayed when the user hasn't yet signed in or has signed out. On the contrary, The Sign out button is displayed when the user is already signed-in. 请注意,帐户控制器是在“Microsoft.Identity.Web.UI”NuGet 包(位于名为“MicrosoftIdentity”的区域中)中定义的。Note that the Account controller is defined in the Microsoft.Identity.Web.UI NuGet package, in the Area named MicrosoftIdentity

<ul class="navbar-nav">
  @if (User.Identity.IsAuthenticated)
  {
    <li class="nav-item">
        <span class="navbar-text text-dark">Hello @User.Identity.Name!</span>
    </li>
    <li class="nav-item">
        <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Sign out</a>
    </li>
  }
  else
  {
    <li class="nav-item">
        <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">Sign in</a>
    </li>
  }
</ul>

控制器的 SignIn 操作SignIn action of the controller

在 ASP.NET 中,在 Web 应用中选择“登录”按钮会触发 AccountController 控制器上的 SignIn 操作。In ASP.NET, selecting the Sign-in button in the web app triggers the SignIn action on the AccountController controller. 在以前的 ASP.NET Core 模板版本中,Account 控制器嵌入在 Web 应用中。In previous versions of the ASP.NET core templates, the Account controller was embedded with the web app. 现在不再是这样,因为该控制器现在是“Microsoft.Identity.Web.UI”NuGet 包的一部分。That's no longer the case because the controller is now part of the Microsoft.Identity.Web.UI NuGet package. 有关详细信息,请参阅 AccountController.csSee AccountController.cs for details.

此控制器还处理 Azure AD B2C 应用程序。This controller also handles the Azure AD B2C applications.

在用户登录到你的应用后,你希望他们能够注销。After the user has signed in to your app, you'll want to enable them to sign out.

注销Sign-out

从 Web 应用注销不仅仅涉及到从 Web 应用的状态中删除有关已登录帐户的信息。Signing out from a web app involves more than removing the information about the signed-in account from the web app's state. 该 Web 应用还必须将用户重定向到 Microsoft 标识平台 logout 终结点才能注销。The web app must also redirect the user to the Microsoft identity platform logout endpoint to sign out.

当 Web 应用将用户重定向到 logout 终结点时,此终结点将从浏览器中清除用户的会话。When your web app redirects the user to the logout endpoint, this endpoint clears the user's session from the browser. 如果应用尚未进入 logout 终结点,则用户不需要再次输入凭据就能重新通过应用的身份验证。If your app didn't go to the logout endpoint, the user will reauthenticate to your app without entering their credentials again. 原因是他们与 Microsoft 标识平台终结点之间建立了有效的单一登录会话。The reason is that they'll have a valid single sign-in session with the Microsoft identity platform endpoint.

有关详细信息,请参阅 Microsoft 标识平台和 OpenID Connect 协议文档中的发送注销请求部分。To learn more, see the Send a sign-out request section in the Microsoft identity platform and the OpenID Connect protocol documentation.

应用程序注册Application registration

在应用程序注册期间,需要注册一个注销后的 URI。During the application registration, you register a post-logout URI. 在本教程中,你已在“身份验证”页上“高级设置”部分的“注销 URL”字段中注册了 https://localhost:44321/signout-oidcIn our tutorial, you registered https://localhost:44321/signout-oidc in the Logout URL field of the Advanced Settings section on the Authentication page. 有关详细信息,请参阅注册 webApp 应用For details, see Register the webApp app.

注销按钮Sign-out button

在 ASP.NET 的 Web 应用中选择“注销”按钮会触发 AccountController 控制器上的 SignOut 操作(见下)In ASP.NET, selecting the Sign out button in the web app triggers the SignOut action on the AccountController controller (see below)

<ul class="navbar-nav">
  @if (User.Identity.IsAuthenticated)
  {
    <li class="nav-item">
        <span class="navbar-text text-dark">Hello @User.Identity.Name!</span>
    </li>
    <li class="nav-item">
        <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Sign out</a>
    </li>
  }
  else
  {
    <li class="nav-item">
        <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">Sign in</a>
    </li>
  }
</ul>

控制器的 SignOut 操作SignOut action of the controller

在以前的 ASP.NET Core 模板版本中,Account 控制器嵌入在 Web 应用中。In previous versions of the ASP.NET core templates, the Account controller was embedded with the web app. 现在不再是这样,因为该控制器现在是“Microsoft.Identity.Web.UI”NuGet 包的一部分。That's no longer the case because the controller is now part of the Microsoft.Identity.Web.UI NuGet package. 有关详细信息,请参阅 AccountController.csSee AccountController.cs for details.

  • 将 OpenID 重定向 URI 设置为 /Account/SignedOut,以便在 Azure AD 完成注销后回调控制器。Sets an OpenID redirect URI to /Account/SignedOut so that the controller is called back when Azure AD has completed the sign-out.

  • 调用 Signout(),让 OpenID Connect 中间件联系 Microsoft 标识平台 logout 终结点。Calls Signout(), which lets the OpenID Connect middleware contact the Microsoft identity platform logout endpoint. 然后,终结点将会:The endpoint then:

    • 从浏览器中清除会话 Cookie。Clears the session cookie from the browser.
    • 回调注销 URL。Calls back the logout URL. 默认情况下,注销 URL 会显示已注销视图页 SignedOut.cshtml.csBy default, the logout URL displays the signed-out view page SignedOut.cshtml.cs. 此页也作为 MIcrosoft.Identity.Web 的一部分提供。This page is also provided as part of MIcrosoft.Identity.Web.

截获对 logout 终结点的调用Intercepting the call to the logout endpoint

注销后的 URI 使应用程序能够参与全局注销。The post-logout URI enables applications to participate in the global sign-out.

ASP.NET Core OpenID Connect 中间件提供名为 OnRedirectToIdentityProviderForSignOut 的 OpenID Connect 事件,可让应用截获对 Microsoft 标识平台 logout 终结点的调用。The ASP.NET Core OpenID Connect middleware enables your app to intercept the call to the Microsoft identity platform logout endpoint by providing an OpenID Connect event named OnRedirectToIdentityProviderForSignOut. 这由 Microsoft.Identity.Web 自动处理(在 Web 应用调用 Web API 的情况下会清除帐户)This is handled automatically by Microsoft.Identity.Web (which clears accounts in the case where your web app calls web apis)

协议Protocol

若要了解有关注销的详细信息,请阅读 OpenID Connect 提供的协议文档。If you want to learn more about sign-out, read the protocol documentation that's available from Open ID Connect.

后续步骤Next steps