如何在负载均衡器后面配置UseCookieAuthentication [英] How to configure UseCookieAuthentication behind a load balancer

问题描述

我正在配置.netcore应用程序以使用OIDC身份验证(由IdentityServer提供).

I am configuring a .netcore application to use OIDC authenication (provided by IdentityServer).

我在启动"中包含了以下代码

I have included the following code in my StartUp

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationScheme = "Cookies",
    AutomaticAuthenticate = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(60)
});

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    AuthenticationScheme = "oidc",
    SignInScheme = "Cookies",

    Authority = "https://myauthority",
    ClientId = "myclient",
    CallbackPath = "/",
    ResponseType = "id_token token",
    Scope = { "openid", "profile", "email" },
});

该应用程序托管在AWS上，并在ECS中运行的Docker内.它在监听HTTPS的应用程序负载平衡器后面运行.

The application is hosted on AWS, within a docker running in ECS. It runs behind an application load balancer listening on https.

我发现，因为我的应用程序本身并不使用https(因为https被负载均衡器终止)，所以OIDC中间件在重定向到OIDC服务器时会生成错误的返回URL-它生成的URL以http开始: //.

I have found that because my application is not itself using https (because the https is terminated by the load balancer), the OIDC middleware is generating an incorrect return URL when redirecting to the OIDC server - the URL it generates begins http://.

返回URL由AuthenticationHandler基类中名为BuildRedirectUri的方法生成.它只是使用接收请求的协议-似乎没有任何方法可以覆盖此请求.

The return URL is generated by a method named BuildRedirectUri within the AuthenticationHandler base class. It just uses the protocol on which it received the request - there doesn't seem any way to override this.

protected string BuildRedirectUri(string targetPath)
{
    return this.Request.Scheme + "://" + this.Request.Host + this.OriginalPathBase + targetPath;
}

因此，鉴于似乎无法配置中间件来强制HTTP重定向，我还有什么其他选择?

So given it doesn't seem possible to configure the middleware to force a HTTP redirect, what other options do I have?

我应该编写一个高级"中间件组件来侦听重定向请求并修改协议吗?还是有更好的方法来解决这个问题?

Should I write a 'higher' middleware component to listen for redirect requests and modify the protocol? Or is there a better way to solve this problem?

推荐答案

对我来说，添加ForwarededHeaders是不够的.我还必须添加清除网络和代理的权限(如 ASP.NET Core Docs回购).

For me, adding the ForwarededHeaders wasn't enough. I had to add to clear the networks and proxies as well (as noted on the ASP.NET Core Docs repo).

并尽早在Configure中这样做:

 var options = new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        };
 options.KnownNetworks.Clear();
 options.KnownProxies.Clear();
 app.UseForwardedHeaders(options);

如果所有其他方法都失败了，您也可以使用 https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers -or-reverse-proxies/.也可以(但不适用于我的多租户环境):

If all else fails you can also avoid all this by using the solution posted https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers-or-reverse-proxies/. Which also worked (but not for my multi-tenant environment):

services.AddIdentityServer(options =>
            {
                ...
               options.PublicOrigin = "https://whatever.domain.com";
                ...
            })

这篇关于如何在负载均衡器后面配置UseCookieAuthentication的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！