Azure Active Directory Safari 重定向问题 [英] Azure Active Directory Safari Redirection Issue
问题描述
使用最新版本的 Safari (12) 在 Mac OS 和 iOS 设备上登录 Microsoft Online 似乎存在当前问题.
Safari 12 的更新显示在此处:https://developer.apple.com/野生动物园/whats-new/
由于一些新的安全和隐私更新,在登录端点时似乎存在导致无限重定向的 cookie 问题:http://login.microsoftonline.com
此新更新导致 Apple 设备上的 Safari 用户在登录时进入重定向无限循环.
这很可能是由于 Safari 不让 Microsoft cookie 通过,这导致 Microsoft 的服务器重定向回登录页面以获取所需的 cookie.但是,浏览器仍然有一些身份信息,导致用户重新自动登录,重定向到服务器.cookie 仍然没有随请求一起发送,导致服务器将用户发送回登录页面.这种来自服务器和浏览器的重定向似乎是无限重定向背后的主要原因.
是否有任何更新、推理或解决方案来解决/解决 Safari 和 Microsoft 登录重定向问题背后的问题?
在 GitHub 上有 aspnet/security 团队记录的解决方案.
https://github.com/aspnet/Security/issues/1864
<块引用>如果您使用的是 ASP.NET Core Identity,您可以通过以下方式禁用保护使用以下代码配置 cookie
services.ConfigureExternalCookie(options => {//其他选项options.Cookie.SameSite = SameSiteMode.None;});services.ConfigureApplicationCookie(options => {//其他选项options.Cookie.SameSite = SameSiteMode.None;});<块引用>
如果您在没有 ASP.NET Core 身份的情况下使用 cookie 身份验证,您可以关闭使用以下代码进行保护
services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {//其他选项options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;})<块引用>
如果您使用的是外部 OIDC 提供商,则可以避免通过将提供商使用的响应模式从 POST 更改为GET 请求,使用以下代码.并非所有提供商都支持这个.
.AddOpenIdConnect("myOIDProvider", options => {//其他选项options.ResponseType = "代码";options.ResponseMode = "查询";};There seems to be a current issue with logging into Microsoft Online with Mac OS and iOS devices utilizing the newest version of Safari (12).
The updates on Safari 12 are shown here: https://developer.apple.com/safari/whats-new/
Due to some of the new Security and Privacy updates, there seems to be a cookie issue that is causing infinite redirection when logging into the endpoint: http://login.microsoftonline.com
This new update causes Safari on Apple device users to go into a redirect infinite loop when logging in.
This is most likely due to Safari not letting the Microsoft cookie through, which causes Microsoft's servers to redirect back to the login page to get the cookie required. However, the browser still has some identity information which causes the user to automatically log in again, redirecting to the server. The cookie is still not sent along with the request, causing the server to send the user back to the login page. This redirection from server and browser seems to be the main reason behind the infinite redirection.
Is there any update, reasoning, or resolution to resolve/workaround the problem behind the Safari and Microsoft login redirection issue?
There is a solution documented by the aspnet/security team on GitHub.
https://github.com/aspnet/Security/issues/1864
If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code
services.ConfigureExternalCookie(options => {
// Other options
options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
// Other options
options.Cookie.SameSite = SameSiteMode.None; });
If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code
services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
// Other options
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })
If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.
.AddOpenIdConnect("myOIDProvider", options => {
// Other options
options.ResponseType = "code";
options.ResponseMode = "query";
};
这篇关于Azure Active Directory Safari 重定向问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
