Azure Active Directory Safari重定向问题 [英] Azure Active Directory Safari Redirection Issue

问题描述

使用最新版本的Safari（12）在Mac OS和iOS设备上登录Microsoft Online似乎存在当前问题。

There seems to be a current issue with logging into Microsoft Online with Mac OS and iOS devices utilizing the newest version of Safari (12).

Safari 12的更新如下所示： https://developer.apple.com/safari/whats-new/

The updates on Safari 12 are shown here: https://developer.apple.com/safari/whats-new/

由于某些新的安全性和隐私更新，似乎是一个cookie问题，它会在登录到端点时导致无限重定向： http://login.microsoftonline.com

Due to some of the new Security and Privacy updates, there seems to be a cookie issue that is causing infinite redirection when logging into the endpoint: http://login.microsoftonline.com

此新更新使Apple设备用户上的Safari登录时进入重定向无限循环。

This new update causes Safari on Apple device users to go into a redirect infinite loop when logging in.

这很可能是由于Safari不允许Microsoft cookie通过，这导致Microsoft服务器重定向回登录页面以获取所需的cookie。但是，浏览器仍然具有一些身份信息，这些信息会使用户再次自动登录，从而重定向到服务器。 cookie仍未随请求一起发送，导致服务器将用户发送回登录页面。来自服务器和浏览器的这种重定向似乎是无限重定向背后的主要原因。

This is most likely due to Safari not letting the Microsoft cookie through, which causes Microsoft's servers to redirect back to the login page to get the cookie required. However, the browser still has some identity information which causes the user to automatically log in again, redirecting to the server. The cookie is still not sent along with the request, causing the server to send the user back to the login page. This redirection from server and browser seems to be the main reason behind the infinite redirection.

是否有任何更新，推理或解决方案来解决/解决Safari和Microsoft登录重定向问题背后的问题？

Is there any update, reasoning, or resolution to resolve/workaround the problem behind the Safari and Microsoft login redirection issue?

推荐答案

在GitHub上有一个由aspnet / security团队记录的解决方案。

There is a solution documented by the aspnet/security team on GitHub.

https://github.com/aspnet/Security/issues/1864

如果您使用的是ASP.NET Core Identity，则可以通过
使用以下代码配置cookie来禁用保护

If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; });

如果使用没有ASP.NET Core身份的cookie身份验证，则可以使用以下代码关闭
保护

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

如果使用外部OIDC提供程序，则可以通过更改提供程序使用的响应模式来避免
问题从POST到
a GET请求，使用以下代码。并非所有提供程序都可以支持
。

If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};

这篇关于Azure Active Directory Safari重定向问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！