IDX21323 OpenIdConnectProtocolValidationContext.Nonce 为空，OpenIdConnectProtocolValidatedIdToken.Payload.Nonce 不为空 [英] IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Payload.Nonce was not null

问题描述

我正在尝试验证 Azure AD 和 Graph 的 Intranet(基于 Orchard CMS)，这在我的本地计算机上按预期运行，但是，当访问将成为生产站点时(已经设置了 ssl我们内部的dns)，有时会出现上述错误，相对不一致，我部门的其他人在访问时通常会出现此错误.

I'm attempting to authenticate for Azure AD and Graph for an Intranet (Based off Orchard CMS), this functions as expected on my local machine, however, when accessing what will be the production site (already set up with ssl on our internal dns), I get the above error at times, it's relatively inconsistent, others in my department while accessing usually get this error.

我的认证控制器如下:

public void LogOn()
    {
        if (!Request.IsAuthenticated)
        {

            // Signal OWIN to send an authorization request to Azure.
            HttpContext.GetOwinContext().Authentication.Challenge(
              new AuthenticationProperties { RedirectUri = "/" },
              OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }

    public void LogOff()
    {
        if (Request.IsAuthenticated)
        {
            ClaimsPrincipal _currentUser = (System.Web.HttpContext.Current.User as ClaimsPrincipal);

            // Get the user's token cache and clear it.
            string userObjectId = _currentUser.Claims.First(x => x.Type.Equals(ClaimTypes.NameIdentifier)).Value;

            SessionTokenCache tokenCache = new SessionTokenCache(userObjectId, HttpContext);
            HttpContext.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
        }

        SDKHelper.SignOutClient();

        HttpContext.GetOwinContext().Authentication.SignOut(
          OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);
    }

我的openid选项配置如下:

My openid options are configured as follows:

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

        var openIdOptions = new OpenIdConnectAuthenticationOptions
        {
            ClientId = Settings.ClientId,
            Authority = "https://login.microsoftonline.com/common/v2.0",
            PostLogoutRedirectUri = Settings.LogoutRedirectUri,
            RedirectUri = Settings.LogoutRedirectUri,
            Scope = "openid email profile offline_access " + Settings.Scopes,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
            },
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async (context) =>
                {
                    var claim = ClaimsPrincipal.Current;
                    var code = context.Code;                        

                    string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;


                    TokenCache userTokenCache = new SessionTokenCache(signedInUserID,
                        context.OwinContext.Environment["System.Web.HttpContextBase"] as HttpContextBase).GetMsalCacheInstance();
                    ConfidentialClientApplication cca = new ConfidentialClientApplication(
                        Settings.ClientId,
                        Settings.LogoutRedirectUri,
                        new ClientCredential(Settings.AppKey),
                        userTokenCache,
                        null);


                    AuthenticationResult result = await cca.AcquireTokenByAuthorizationCodeAsync(code, Settings.SplitScopes.ToArray());
                },
                AuthenticationFailed = (context) =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("/Error?message=" + context.Exception.Message);
                    return Task.FromResult(0);
                }
            }
            };

        var cookieOptions = new CookieAuthenticationOptions();
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(cookieOptions);

        app.UseOpenIdConnectAuthentication(openIdOptions);

在 apps.dev.microsoft.com 和我们本地化的网络配置中，重定向的 url 保持一致.

The url for redirection is kept consistent both at apps.dev.microsoft.com and in our localized web config.

推荐答案

就我而言，这是一个非常奇怪的问题，因为并不是每个人都会遇到这种问题，只有少数客户和开发人员会遇到这个问题.

In my case, this was a very weird problem because it didn't happen in for everyone, only few clients and devs have this problem.

如果您仅在 chrome(或具有相同引擎的浏览器)中遇到此问题，您可以尝试将 chrome 上的此标志设置为禁用.

If you are having this problem in chrome only (or a browser that have the same engine) you could try setting this flag on chrome to disabled.

这里发生的情况是 chrome 具有不同的安全规则，即如果在没有 Secure 属性的情况下设置了没有 SameSite 限制的 cookie，它将被拒绝".所以你可以禁用这个规则，它会起作用.

What happens here is that chrome have this different security rule that " If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected". So you can disable this rule and it will work.

或者，您也可以设置 Secure 属性，但我不知道该怎么做；(

OR, you can set the Secure attribute too, but I don't know how to do that ;(

这篇关于IDX21323 OpenIdConnectProtocolValidationContext.Nonce 为空，OpenIdConnectProtocolValidatedIdToken.Payload.Nonce 不为空的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！