OpenID.nonce cookie太多,导致"Bad Request"错误. [英] Too many OpenID.nonce cookies cause "Bad Request"
问题描述
我已经通过链接此处,与我遇到的问题有关.
I have already gone through links here, here and here which are related to issue I am having.
我有使用IdentiServer3进行身份验证的Silverlight应用程序,当我实现注销功能时,我才开始遇到此问题.请注意,该问题与Silverlight无关,因为登录和注销功能实际上是在服务器端实现的,这是经典的ASP.Net Web表单. (.NET 4.5.1)
I have Silverlight application using IdentiServer3 for authentication and I started having this issue just now when I implemented log out functionality. Note that the issue has nothing to do with Silverlight because login and logout functionality is actually implemented on the server side which is a classic ASP.Net Web form. (.NET 4.5.1)
该应用程序从未具有注销功能,因此用户只是用来关闭浏览器,因此我们之前从未遇到过此问题.现在,我们有logout.aspx页面,Silverlight应用程序具有指向此页面的链接.
The application never had logout functionality, so user just used to close the browser so we never encountered this issue before. We have now logout.aspx page and Silverlight application have link to this page.
Logout.aspx页面
public partial class Logout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
Session.Clear();
Request.GetOwinContext().Authentication.SignOut();
}
Response.Redirect("/");
}
}
Default.aspx页面.这是起始页面
public partial class Default : Page
{
protected void Page_Load(object sender, EventArgs e)
{
// Send an OpenID Connect sign-in request.
if (!System.Web.HttpContext.Current.Request.IsAuthenticated)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
}
配置了OpenID连接的OWIN启动类
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
LoginPath = new Microsoft.Owin.PathString("/Default.aspx")
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["Authority"],
Scope = "openid profile",
ClientId = ConfigurationManager.AppSettings["ClientId"],
RedirectUri = ConfigurationManager.AppSettings["RedirectUri"],
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = (context) =>
{
var id = context.AuthenticationTicket.Identity;
// create new identity
var newIdentity = new ClaimsIdentity(id.AuthenticationType);
// we want to keep username and subjectid
var sub = id.FindFirst(ClaimTypes.NameIdentifier);
var username = id.FindFirst("preferred_username");
newIdentity.AddClaim(username);
newIdentity.AddClaim(sub);
// keep the id_token for logout
newIdentity.AddClaim(new Claim("id_token", context.ProtocolMessage.IdToken));
context.AuthenticationTicket = new AuthenticationTicket(
newIdentity,
context.AuthenticationTicket.Properties);
return Task.FromResult(0);
},
RedirectToIdentityProvider = (context) =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token").Value;
context.ProtocolMessage.IdTokenHint = idTokenHint;
}
return Task.FromResult(0);
},
}
重现此问题的步骤:
- 我键入网站URL,它将我重定向到Identityserver3登录名 页.
- 我输入凭据并点击登录.
- 成功登录后,我 重定向到该网站,然后单击注销".
-
我已登录 出去成功.提琴手显示以下呼叫
- I type web site URL which redirects me to identityserver3 login page.
- I enter credentials and hit login.
- After successful login I get redirected to the web site and There I click log out.
I get logged out successfully. Fiddler shows the following calls
https://idsvr.mydomain.com/identity/connect/endsession? id_token_hint = XXXXXXXXXXXXXX https://idsvr.mydomain.com/identity/logout?id=616dd9a4e4c6a55b0bb27faceb4df8 https://idsvr.mydomain.com/identity/connect/endsessioncallback?sid=xxxxxx
https://idsvr.mydomain.com/identity/connect/endsession?id_token_hint=XXXXXXXXXXXXXX https://idsvr.mydomain.com/identity/logout?id=616dd9a4e4c6a55b0bb27faceb4df8dd https://idsvr.mydomain.com/identity/connect/endsessioncallback?sid=xxxxxx
我登陆了 https://idsvr.mydomain.com/identity /logout?id = xxxxxxx 页.
Fiddler显示了从IdentityServer到网站的default.aspx页面的多次往返.每次往返都不断添加OpenIdConnect.nonce.OpenIdConnect cookie,最终由于最大请求大小,我收到了错误的请求错误.
Fiddler shows several round trips from identityServer to web site’s default.aspx page. Each roundtrip keeps adding OpenIdConnect.nonce.OpenIdConnect cookie and ultimately i get bad request error because of max request size.
因此,如以上链接中所建议,我在客户端应用程序中将Microsoft.Owin.Security.OpenIdConnect降级为3.0.0.
So as suggested in above links I downgraded Microsoft.Owin.Security.OpenIdConnect to 3.0.0 in Client Application.
但是,我仍然陷于连续循环中.唯一的区别是,现在它不会为每次往返添加新的OpenIdConnect.nonce.OpenIdConnect cookie.提琴手每次往返仅显示一个cookie.但是,HttpContext.Current.Request.IsAuthenticated仍然为假.所以我陷入了连续循环中.
However, I still get stuck in continuous loop. The only difference is now it does not add new OpenIdConnect.nonce.OpenIdConnect cookie for each round trip. Fiddler shows only one cookie for each round trip. However HttpContext.Current.Request.IsAuthenticated is still false. So I get stuck in continuous loop.
推荐答案
我的asp.net mvc应用程序存在类似的问题.经过一番研究后,我发现Microsoft的System.Web Owin实现中存在错误.在IIS上运行Owin应用程序时使用的一种.如果我们将新的基于Owin的身份验证处理与ASP.NET MVC5一起使用,那大概就是我们中的99%.
I had a similar issue with my asp.net mvc application . After some Research i found that there is a bug in Microsoft's Owin implementation for System.Web. The one that is being used when running Owin applications on IIS. Which is what probably 99% of us do, if we're using the new Owin-based authentication handling with ASP.NET MVC5.
该错误使Owin设置的Cookie在某些情况下神秘地消失了.
The bug makes cookies set by Owin mysteriously disappear on some occasions.
此中间件是针对该错误的修复程序.只需在任何处理cookie的中间件之前将其添加即可,它将保留身份验证cookie.
This middleware is a fix for that bug. Simple add it before any cookie handling middleware and it will preserve the authentication cookies.
app.UseKentorOwinCookieSaver();
这里是详细链接 https://github.com/KentorIT/owin-cookie-saver
这篇关于OpenID.nonce cookie太多,导致"Bad Request"错误.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
