需要指导，使用身份服务器4诊断ios(Safari和Chrome)上的无限循环身份验证 [英] Guidance required diagnosing infinite loop authenticating on ios (safari and chrome) with identity server 4

问题描述

我在身份服务器4(部署为Azure应用服务)和移动设备上的身份验证时遇到了一个奇怪的问题.我正在使用OpenId connect .NET核心MVC客户端对我的身份服务器(使用AspNetIdentity配置)进行身份验证.这在桌面浏览器上绝对可以正常工作，但是在我登录iphone时，它进入了无限循环，在id服务器和客户端(使用移动浏览器或chrome)之间来回弹跳.

I'm having a strange issue with identity server 4 (deployed as an Azure app service) and authentication on mobile devices. I'm using an OpenId connect .NET core MVC client to authenticate against my identity server (which is configured with AspNetIdentity). This is working absolutely fine with a desktop browser, but on an iphone when I log in it goes into an infinite loop bouncing back and fourth between id server and client (with mobile safari or chrome).

如果我停止循环并中断然后导航到该站点，则表明我已通过身份验证，这表明cookie已被批准.

If I stop the loop and interrupt then navigate to the site, I'm authenticated which shows the cookie has been issue'd fine.

奇怪的是，我有另一个系统具有几乎相同的设置，但没有这种行为.由于没有错误，并且只能在登台环境中在移动设备上进行复制，因此我发现很难找出诊断问题的步骤或应该寻找的地方.

The bizarre thing is I have another system with a near identical setup that doesn't have this behaviour. As there's no error's and I can only reproduce on a mobile in my staging environment, I'm finding it hard to figure out steps to diagnose the issue, or where I should be looking.

我没有提出大量的要求或任何会使cookie大小膨胀的东西.

I'm not issuing a large number of claims or anything that would bloat the cookie size.

与身份服务器3的此问题几乎相同:

It's pretty much identical to this issue with identity server 3:

仅在移动设备上登录时，IdentityServer3常量重定向

任何有关我在这里应该寻找的内容的指针都很棒.

Any pointers on what I should be looking for here would be great.

推荐答案

如果使用默认配置，iOS12 Safari中的某些更改会破坏oidc登录. 如此处所述: https://github.com/aspnet/Security/issues/1864

There were some changes in iOS12 Safari that broke oidc logins if using the default configuration. As detailed here: https://github.com/aspnet/Security/issues/1864

如果您使用的是ASP.NET Core Identity，则可以通过以下方式禁用保护: 使用以下代码配置Cookie

If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});
services.ConfigureApplicationCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});

如果您使用的是不带ASP.NET Core身份的cookie身份验证 您可以使用以下代码关闭保护功能

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
});

如果您使用的是外部OIDC提供程序，则可以避免 通过将提供商使用的响应模式从POST更改为来解决问题 使用以下代码的GET请求.并非所有提供商都支持 这个.

If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};

_请注意，在进行这些更改时，将删除所有用户和所有浏览器的保护.您应该确保自己做出的所有动作 状态变化通过内置的CSRF反伪造机制得到保护 进入ASP.NET Core.

_Note that in making these changes protection is removed for all users and all browsers. You should ensure that all your actions that make state changes are protected with CSRF anti-forgery mechanisms built into ASP.NET Core.

这篇关于需要指导，使用身份服务器4诊断ios(Safari和Chrome)上的无限循环身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！