WsFederation身份验证登录循环 [英] WsFederation Authentication login loop
问题描述
在MVC Web应用程序中使用WsFederation Authentication时,我遇到了登录循环问题.我使用Visual Studio创建了Web应用程序的支架,并在Startup.cs中设置了WsFederation.它将生成以下代码块:
I am experiencing a problem with a login loop when using WsFederation Authentication in my MVC web application. I used visual studio to create the scaffolding of the web application and to setup the WsFederation in the Startup.cs. Which generates the following block of code:
public class Startup
{
private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"];
private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"];
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata
});
}
}
该Web应用程序托管在Azure中,而ADFS位于内部.
The web application is hosted in Azure and the ADFS is on premises.
在某些客户端上,尝试登录时,登录页面进入循环,请求新令牌,从而导致ADFS服务器上出现以下异常:
On some clients, when a login attempt is made the login page goes into a loop requesting a new tokens causing the following exception on the ADFS Server:
异常详细信息: Microsoft.IdentityServer.Web.InvalidRequestException:MSIS7042:相同的客户端浏览器会话在过去的"7"秒内发出了"6"个请求.请与您的管理员联系以获取详细信息.
Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '7' seconds. Contact your administrator for details.
我阅读了许多关于StackOverflow的文章,并查看了编写IdentityServer的人员提供的各种示例,并且尝试了各种配置选项,但无法将问题隔离到特定区域.
I have read many articles on StackOverflow and looked at the various examples provided by the guys who wrote IdentityServer and I have tried the various configuration options and I cannot isolate the problem to a specific area.
根据我的阅读,这是OWIN中间件失去对象上下文的普遍问题,因此令牌变得丢失".
From what I read it is a general problem with the OWIN middle ware loosing context of the object and as a result the token gets "lost".
我试图实现其他人具有的一些示例代码在StackOverflow上提供,但我似乎找不到解决我的问题的解决方案,或者可能是未正确实现代码.
I have attempted to implement some of the sample code that other have provided on StackOverflow but, I cannot seem to find a solution the resolves my problem or maybe a have not implemented the code correctly.
有什么想法吗?
推荐答案
问题的原因是请求和响应URL不相同. IE.当用户输入网站URL且未为其添加HTTPS前缀时,将发生重定向循环.
The cause of the problem was the request and response URLs where not the same. I.e. When a user entered the website URL and did not prefix it with HTTPS the redirect loop would occur.
原因被隐藏,因为如果用户未通过身份验证或未授权,则会立即将其重定向到ADFS.
The cause was hidden because the user is immediately redirected to ADFS if they are not authenticated or authorized.
我要做的就是确保将所有用户请求都重定向回HTTPS URL,并删除HTTP绑定.(要么正常,要么正常)
All I had to do was to ensure that all user requests are redirected back to the HTTPS URL and that the HTTP binding is removed.(Either or would have worked just fine)
这是我用来确保所有请求都重定向到https的代码.
This is the code I used to ensure that all requests are redirect to https.
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to https">
<match url="(.*)"/>
<conditions>
<add input="{HTTPS}" pattern="Off"/>
<add input="{REQUEST_METHOD}" pattern="^get$|^head$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"/>
</rule>
</rules>
</rewrite>
</system.webServer>
我希望这篇文章对您有所帮助.
I hope this post was helpful.
这篇关于WsFederation身份验证登录循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
