Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态 [英] Azure AD Authentication in Kubernetes Unable to unprotect the message.State
本文介绍了Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个使用AzureAD B2C身份验证的DotNet核心MVC Web应用程序(通过OpenID Connect)。当我在本地主机上运行它时,它可以正常工作,但当我将解决方案部署到Kubernetes并尝试登录时,我收到以下错误:
Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Unable to unprotect the message.State.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)'
我已经设置了一个带有SSL的Nginx入口,它将流量转发到Kubernetes中的服务,因此它在集群中充当反向代理。
为了确保保留请求的原始主机名,我将以下内容添加到启动.cs中:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
app.UseForwardedHeaders();
以及将以下批注添加到我的入口
nginx.ingress.kubernetes.io/proxy_http_version: "1.1"
nginx.ingress.kubernetes.io/proxy_set_header: "Upgrade $http_upgrade"
nginx.ingress.kubernetes.io/proxy_set_header: "Connection keep-alive"
nginx.ingress.kubernetes.io/proxy_set_header: "Host $host"
nginx.ingress.kubernetes.io/proxy_cache_bypass: "$http_upgrade"
nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-For $proxy_add_x_forwarded_for"
nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-Proto $scheme"
nginx.ingress.kubernetes.io/proxy_buffers: "16 16k"
nginx.ingress.kubernetes.io/proxy_buffer_size: "32k"
我还确保已在Azure中正确配置回复URL。
配置入口(Nginx)时是否遗漏了可能导致此问题的步骤?
推荐答案
我也遇到了同样的问题,添加数据保护解决了它:
private void AddDataProtection(IServiceCollection services, IConfiguration configuration)
{
var serviceProvider = services.BuildServiceProvider();
var kvClient = serviceProvider.GetRequiredService<IKeyVaultClient>();
var vaultSettings = configuration.GetConfiguredSettings<VaultSettings>();
var redisSettings = configuration.GetConfiguredSettings<RedisSettings>();
var redisAccessKey = kvClient.GetSecretAsync(vaultSettings.VaultUrl, redisSettings.AccessKeySecretName).GetAwaiter().GetResult().Value;
var connectionMultiplexer = ConnectionMultiplexer.Connect(new ConfigurationOptions()
{
EndPoints = { redisSettings.Endpoint },
Password = redisAccessKey,
Ssl = true,
AbortOnConnectFail = false
});
var key = $"{env.ApplicationName}::{env.EnvironmentName}::DataProtection::Keys";
Logger.LogInformation($"protect data using key={key}, cert='{redisSettings.ProtectionCertSecretName}'");
var x509 = kvClient.GetX509CertificateAsync(vaultSettings.VaultUrl, redisSettings.ProtectionCertSecretName)
.GetAwaiter().GetResult();
services.AddDataProtection()
.PersistKeysToRedis(connectionMultiplexer, key)
.ProtectKeysWithCertificate(x509);
}
这篇关于Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
