使用OpenIdConnect和Azure AD对CORS请求进行身份验证 [英] Authenticate CORS request using OpenIdConnect and Azure AD

问题描述

我有在Azure中运行的Asp.Net核心后端. 在localhost上运行的HTML/JS前端，使用CORS与后端进行通信

I have Asp.Net core backend running in Azure. HTML/JS frontend running on localhost, using CORS to communicate with backend

如果前端和后端都在本地主机中，或者它们都在Azure中，则身份验证有效-> Azure AD应用程序已正确设置.

When both, frontend and backend are in localhost, or they are both in Azure, the authentication works -> Azure AD app is setup correctly.

这是我的登录方式:

[Route("/api/[controller]")]
public class AccountController : Controller
{
    [HttpGet]
    public IActionResult Index()
    {        
        return Json(new AccountInfoViewModel
        {
            IsAuthenticated = User.Identity.IsAuthenticated,
            UserName = User.Identity.Name,
            Roles = new string[0],
            LoginUrl = Url.Action(nameof(Login), null, null, null, Request.Host.Value),
            LogoutUrl = Url.Action(nameof(Login), null, null, null, Request.Host.Value),
        });
    }

    [HttpGet("login")]
    public async Task Login(string returnUrl)
    {
        await HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties { RedirectUri = returnUrl });
    }

    [HttpGet("logoff")]
    public async Task LogOff()
    {
        await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    }

    [HttpGet("endsession")]
    public async Task EndSession()
    {
        // If AAD sends a single sign-out message to the app, end the user's session, but don't redirect to AAD for sign out.
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    }
}

因此从本地主机，然后我重定向到:

so from localhost, I then redirect to:

https://myapp.azurewebsites.net/Account/Login?returnUrl=localhost:12345

这会触发Login动作，并将我重定向到我的Azure AD SSO页面，并且在登录后，它将我重定向到localhost.但是，对后端的请求仍未通过身份验证.

which triggers Login action and it redirects me to my Azure AD SSO page and after login, it redirects me back to localhost. However, the request to the backend is still not authenticated.

重要: 当我从登录操作中删除redirectUrl时，我将重定向到后端根目录，而不是原始来源(本地主机).来自该来源(后端)的任何请求都经过身份验证.

Important: When I remove redirectUrl from login action, I'm redirected to the backend root instead of original origin (localhost). Any request from that origin (backend) is authenticated.

推荐答案

我不得不明确地告诉javascript包括身份验证标头:

I had to explicitelly tell javascript to include authentication headers:

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

更多详细信息: https://docs.microsoft.com/zh-CN/aspnet/core/security/cors#credentials-in-cross-origin-requests

如果是Chrome和Opera，它实现了cookie的 SameSite 属性，则还必须像这样设置身份验证cookie:

in case of chrome and opera, which implements SameSite attribute of cookies, you also have to setup authentication cookie like this:

 services.AddAuthentication(...)
         .AddCookie(option => option.Cookie.SameSite = SameSiteMode.None)
         .AddOpenIdConnect(...)

这篇关于使用OpenIdConnect和Azure AD对CORS请求进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！