OWIN - Authentication.SignOut() 不会删除 cookie [英] OWIN - Authentication.SignOut() doesn't remove cookies

问题描述

我在 Azure 中有一个带有 AD 身份验证的 MVC Web 应用程序.当我在本地运行网站时，它使用 Azure AD 登录和退出都很好.但是我部署的 Azure 网站上的注销不起作用.用户保持通过身份验证，因此 SignOutCallback 操作始终重定向到 Home/Index.

I have a MVC Web App in Azure with AD authentication. When I run the website locally, it signs in and out just fine, using Azure AD. But the signout on my deployed Azure website does not work. The user remains authenticated, so the SignOutCallback action always redirects to Home/Index.

这是我创建项目时创建的开箱即用代码.

This is out-of-the-box code that was created when I created the project.

public class AccountController : Controller
{
    /// <summary>
    /// Use this method to sign into the website
    /// </summary>
    public void SignIn()
    {
        // Send an OpenID Connect sign-in request.
        if (!Request.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
                OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }

    /// <summary>
    /// Use this method to sign out of the website
    /// </summary>
    public void SignOut()
    {
        string callbackUrl = Url.Action("SignOutCallback", "Account", routeValues: null, protocol: Request.Url.Scheme);

        Request.GetOwinContext().Authentication.SignOut(
            new AuthenticationProperties { RedirectUri = callbackUrl },
            OpenIdConnectAuthenticationDefaults.AuthenticationType,
            CookieAuthenticationDefaults.AuthenticationType);
    }

    /// <summary>
    /// Use this method to redirect to Home page, once the request has been authenticated
    /// </summary>
    /// <returns>An <see cref="ActionResult"/> object.</returns>
    public ActionResult SignOutCallback()
    {
        if (Request.IsAuthenticated)
        {
            // Redirect to home page if the user is authenticated.
            return RedirectToAction("Index", "Home");
        }

        return View();
    }
}

我在这里找到了一篇类似的帖子问题并尝试了它的建议，但对我不起作用.

I found a post here with similar issues and have tried what it suggested but it did not work for me.

有没有其他人遇到过这个问题?

Has anyone else ran into this issue?

推荐答案

我已经找出问题所在.我创建的带有 AD 身份验证的 Azure 中开箱即用的 MVC Web 应用程序使用 AspNet cookie.其中 GetOwinContext().Authentication.SignOut 清除.这在本地主机上对我来说很好用.当我将其部署到 Azure 然后在 新 Azure 门户中配置网站以使用 AD 身份验证时，问题出现了.它似乎将网站转换为 Azure 应用服务.现在 cookie 是 AppServiceAuthSession cookie - 不再是 AspNet cookie.因此，注销不再有效.

I have figured out what the issue is. The out-of-the-box MVC Web App in Azure with AD authentication that I created uses AspNet cookies. Which the GetOwinContext().Authentication.SignOut clears. And this was working fine for me on localhost. The issue arose when I deployed it to Azure and then configured the website in the new Azure portal, to use AD authentication. It appears to convert the website into a Azure App Service. Now the cookies are AppServiceAuthSession cookies - no longer the AspNet cookies. Thus, the logout no longer works.

以下是与我合作过的 Microsoft 代表的回复:

我对此进行了更多研究，并与 Azure AD 团队和 Azure 网站团队进行了交谈.显然，新的门户设置会为您处理所有身份验证组件.因此，您实际上有两种方法可以针对您的网站设置 Auzre AD 身份验证.您可以像在开箱即用的 ASP.NET MVC 项目中看到的那样，通过代码来完成它，您可以在其中访问 AccountController.

I did some more research around this, and spoke with both the Azure AD teams and Azure Websites teams. Apparently that new portal setting takes care of all the auth components for you. So really you have two approaches to setting up Auzre AD auth against your website. You can do it through code like you see in that Out of the Box ASP.NET MVC project, where you have access to the AccountController.

或者另一种方法是通过在新的 Azure 门户中启用该设置，让 Azure 为您处理它.当您让新的 Azure 门户执行此操作时，它会使用不同的会话 cookie 名称和不同的注销逻辑.似乎自动身份验证与编码的注销逻辑不能很好地配合.

Or the other approach is to just let Azure handle it for you by enabling that setting in the new Azure portal. When you let the new Azure portal do it then it uses a different session cookie name and different logout logic. It appears that automatic auth doesn’t play well with the coded logout logic.

所以您的解决方法是正确的.您基本上有两种解决方法来启动和运行支持 Azure AD 身份验证的 MVC 应用程序:

So your workaround is correct. You basically have two workarounds here to get an MVC app up and running that supports Azure AD authentication:

1. 创建通过代码支持 AAD 身份验证的 MVC 应用程序.手动将应用程序添加到该 Azure AD 租户应用程序列表以设置信任.通过 MVC 应用程序中的代码处理登录/注销
2. 创建一个没有任何身份验证逻辑的 MVC 应用程序.将其配置为通过新门户支持 Azure AD 身份验证.添加一些用于登录和注销的特定链接.对于第二种情况，我建议您下拉并使用此处的示例:https://github.com/btardif/Websites-Authentication-Authorization.您可以看到该示例支持注销链接，但它会进入该新门户中的新身份验证/授权设置.将该示例部署到新网站，在新门户中启用身份验证设置，您将看到注销工作并正确删除这些身份验证会话 cookie.

1. Create MVC app that supports AAD auth through code. Manually add application to that Azure AD tenant Applications list to setup the trust. Handle login/logout through code in your MVC app
2. Create an MVC app that doesn’t have any auth logic. Configure it to support Azure AD auth through the new portal. Add some specific links for logging in and logging out. For this second scenario I recommend you pull down and play with the sample here: https://github.com/btardif/Websites-Authentication-Authorization. That sample you can see supports a Sign Out link, but it taps into the new Authentication/Authorization settings in that new portal. Deploy that sample to new website, enable Auth settings in the new portal, and you’ll see the signout works and properly deletes those auth session cookies correctly.

这篇关于OWIN - Authentication.SignOut() 不会删除 cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！