signin-oidc也尝试调用内部FQDN [英] signin-oidc Also Tries to Call Internal FQDN

问题描述

我们有一个使用OpenId Connect身份验证协议的ASP.NET Core应用程序.在Azure AD B2C中，我们设置了外部FQDN(域别名)( https://externallink.company.com )作为重定向URI.我们注意到的是，重定向到 https://externallink.company.com/signin-oidc然后将其重定向到内部FQDN https://internallink.company.com/signin-oidc这是Azure中应用程序服务的URL.内部链接无法在公司网络外部访问，应该保持这种状态.

We have an ASP.NET Core application that uses the OpenId Connect authentication protocol. In Azure AD B2C we setup the external FQDN (domain alias) (https://externallink.company.com) as the redirect URI. What we noticed is that after redirecting to https://externallink.company.com/signin-oidc it then redirects to the internal FQDN https://internallink.company.com/signin-oidc which is the URL of the App Service in Azure. The internal link is not accessible outside the company's network and should stay that way.

我们得到的错误是:

redirect_uri_mismatch& error_description = AADB2C90006:请求中提供的重定向URI'https://internallink.company.com/signin-oidc'未为客户端ID'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx'注册. ％0D％0A关联ID

redirect_uri_mismatch&error_description=AADB2C90006: The redirect URI 'https://internallink.company.com/signin-oidc' provided in the request is not registered for the client id 'xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx'.%0D%0ACorrelation ID

这是我们在Startup类中设置身份验证的方式.

This is how we have setup the authentication in the Startup class.

我是否应该专门放置Call​​back路径，以便OpenId不会尝试调用内部FQDN?

Should I specifically put the Callback path so that OpenId does not attempt to call the internal FQDN?

更新:

如果我尝试将内部FQDN添加到重定向URI列表中，则可以登录，但之后会出现此错误(URL为

If I try to add the internal FQDN in the list of redirect URIs I will be able to sign in but afterwards I will get this error (URL is https://internallink.company.com/signin-oidc). This is expected because as I've mentioned the internal URL cannot be accessed via the public internet.

更新2:

基于WAF的日志，它不会重定向到 https://internallink.com/signin-oidc .验证之后，它转到 https://externallink.com/api/foo ，这是理想的结果.

Based from the logs of WAF it does not redirect to https://internallink.com/signin-oidc. After authenticating it goes to https://externallink.com/api/foo which is the desired outcome.

推荐答案

似乎我能够自行解决此问题.我只需要将OnRedirectToIdentityProvider事件下的ProtocolMessage.RedirectUri设置为外部FQDN.

It seems that I was able to solve this problem on my own. I just have to set the ProtocolMessage.RedirectUri under the OnRedirectToIdentityProvider event to the external FQDN.

services.AddAuthentication(options => { ... })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
       ...

       options.Events.OnRedirectToIdentityProvider = context => 
       {
           context.ProtocolMessage.RedirectUri = "https://externallink.com/signin-oidc";
           return Task.FromResult(0);
       };
    });

这篇关于signin-oidc也尝试调用内部FQDN的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！