signin-oidc也尝试调用内部FQDN [英] signin-oidc Also Tries to Call Internal FQDN
问题描述
我们有一个使用OpenId Connect身份验证协议的ASP.NET Core应用程序.在Azure AD B2C中,我们设置了外部FQDN(域别名)( https://externallink.company.com )作为重定向URI.我们注意到的是,重定向到 https://externallink.company.com/signin-oidc然后将其重定向到内部FQDN https://internallink.company.com/signin-oidc这是Azure中应用程序服务的URL.内部链接无法在公司网络外部访问,应该保持这种状态.
We have an ASP.NET Core application that uses the OpenId Connect authentication protocol. In Azure AD B2C we setup the external FQDN (domain alias) (https://externallink.company.com) as the redirect URI. What we noticed is that after redirecting to https://externallink.company.com/signin-oidc it then redirects to the internal FQDN https://internallink.company.com/signin-oidc which is the URL of the App Service in Azure. The internal link is not accessible outside the company's network and should stay that way.
我们得到的错误是:
redirect_uri_mismatch& error_description = AADB2C90006:请求中提供的重定向URI'https://internallink.company.com/signin-oidc'未为客户端ID'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx'注册. %0D%0A关联ID
redirect_uri_mismatch&error_description=AADB2C90006: The redirect URI 'https://internallink.company.com/signin-oidc' provided in the request is not registered for the client id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx'.%0D%0ACorrelation ID
这是我们在Startup类中设置身份验证的方式.
This is how we have setup the authentication in the Startup class.
我是否应该专门放置Callback路径,以便OpenId不会尝试调用内部FQDN?
Should I specifically put the Callback path so that OpenId does not attempt to call the internal FQDN?
更新:
如果我尝试将内部FQDN添加到重定向URI列表中,则可以登录,但之后会出现此错误(URL为
If I try to add the internal FQDN in the list of redirect URIs I will be able to sign in but afterwards I will get this error (URL is https://internallink.company.com/signin-oidc). This is expected because as I've mentioned the internal URL cannot be accessed via the public internet.
更新2:
基于WAF的日志,它不会重定向到 https://internallink.com/signin-oidc .验证之后,它转到 https://externallink.com/api/foo ,这是理想的结果.
Based from the logs of WAF it does not redirect to https://internallink.com/signin-oidc. After authenticating it goes to https://externallink.com/api/foo which is the desired outcome.
推荐答案
似乎我能够自行解决此问题.我只需要将OnRedirectToIdentityProvider
事件下的ProtocolMessage.RedirectUri
设置为外部FQDN.
It seems that I was able to solve this problem on my own. I just have to set the ProtocolMessage.RedirectUri
under the OnRedirectToIdentityProvider
event to the external FQDN.
services.AddAuthentication(options => { ... })
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
...
options.Events.OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.RedirectUri = "https://externallink.com/signin-oidc";
return Task.FromResult(0);
};
});
这篇关于signin-oidc也尝试调用内部FQDN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!