RequireNonce为'true'(默认)，但validationContext.Nonce在Azure Traffic Manager中的null为OpenIdConnectAuthentication [英] RequireNonce is 'true' (default) but validationContext.Nonce is null in Azure Traffic Manager , OpenIdConnectAuthentication

问题描述

我将我的网站(Azure App Service)部署在Microsoft Azure下的两个区域中. https://abcd1-westus.azurewebsites.net/
https://abcd2-centralus.azurewebsites.net/
我创建了流量管理器配置文件，以控制服务端点的用户流量分配.流量管理器配置文件的DNS名称为" http://abcd.trafficmanager.net " 身份验证由Azure AD完成. 一旦我们尝试访问Traffic Manager DNS Url，它会提示AAD登录并重定向到 https://abcd2.azurewebsites.net ，出现黄页错误

"IDX10311:RequireNonce为'true'(默认)，但validateContext.Nonce为null.无法验证随机数.如果不需要要检查随机数，请将OpenIdConnectProtocolValidator.RequireNonce设置为"false"."

如果我打开单个网站的网址，则可以正常运行.我在StartUp.Auth.cs中使用了以下代码.我正在使用 Microsoft.Owin.Security.OpenIdConnect 版本3.1.0.0

I have my website(Azure App Service) deployed in two regions under Microsoft Azure . https://abcd1-westus.azurewebsites.net/
https://abcd2-centralus.azurewebsites.net/
I created a Traffic Manager Profile to control the distribution of user traffic for service endpoints. The DNS Name of Traffic Manager Profile is "http://abcd.trafficmanager.net" Authentication is done by Azure AD . Once we are trying to access Traffic Manager DNS Url , it prompts for AAD login and redirect to https://abcd2.azurewebsites.net and the yellow page error comes up

"IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."

If I open individual website url it works perfectly. I have used the below code in StartUp.Auth.cs. I am using Microsoft.Owin.Security.OpenIdConnect , Version 3.1.0.0

public partial class Startup
{
    string secretKey = ConfigurationManager.AppSettings["AppKey"];
    string clientId = ConfigurationManager.AppSettings["ClientId"];
    string authority = ConfigurationManager.AppSettings["Authority"];
    string resource = ConfigurationManager.AppSettings["Resource"];
    string redirectUri = ConfigurationManager.AppSettings["RedirectUri"];
    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = async n => {
                        n.ProtocolMessage.RedirectUri = n.OwinContext.Request.Uri.ToString();
                    },
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived
                }
            });
    }

    private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        var code = context.Code;
        ClientCredential credential = new ClientCredential(clientId, secretKey);
        string userObjectID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
        AuthenticationContext authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectID));
        Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
        AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, credential, resource);
    }
}

请帮助我解决此问题.生产即将结束:(

Please help me to resolve this issue. Production is close :(

推荐答案

问题是您不能混合使用流量管理器URL和Web App URL.

The problem is you can't mix the traffic manager URL and the Web App URLs.

现时cookie在TM域上设置，而重定向回位于另一个域上.因此未找到现时cookie.

The nonce cookie is set on the TM domain and the redirect back comes on a different domain. So the nonce cookie is not found.

因此，用户在地址栏中看到的URL始终应该相同.如果他们通过https://abc.trafficmanager.net访问站点，则Azure AD需要在身份验证后将其重定向到https://abc.trafficmanager.net.它不得在任何时候使用azurewebsites.net URL.

So the URL the user sees in the address bar should be the same all the time. If they access the site over https://abc.trafficmanager.net, then Azure AD needs to redirect them to https://abc.trafficmanager.net after authentication. It must not use the azurewebsites.net URL at any time.

这篇关于RequireNonce为'true'(默认)，但validationContext.Nonce在Azure Traffic Manager中的null为OpenIdConnectAuthentication的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！