建议使用HTTPS的Facebook登录名-如何在ASP.NET MVC中为Facebook登录名配置HTTP重定向URL? [英] Facebook Login recommending to require HTTPS - How to Configure HTTP redirect URL for Facebook Login in ASP.NET MVC?

问题描述

Facebook建议我使用HTTPS重定向URL，而不是HTTP.在尝试生成HTTP URL时，我一直在尝试找到一种配置它的方法.

Facebook is recommending that I use a HTTPS redirect URL, instead of HTTP. I've been trying to find a way to configure it to generate a HTTPS URL, at the moment it's generating a HTTP URL.

>://://. facebook.com/v2.8/dialog/oauth?response_type=code&client_id=255162614498922&redirect_uri=

https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=255162614498922&redirect_uri=http://example.com/signin-facebook&scope=&state=-x4AVtFysadfadsfsadROH6E1QJ82gv4e4j48s32K5xbmqlF-JFbE5Y2Tx_MAdSquCP6CjZjic8Ye6gwasdfdfask3PXWkyxS42Ajpks9IuumDOl6CUJsadfafsasfdasdfbfpEFUDyxJUR3fARlWc83Lysadffdsdaffsdafasdsdafx_ziTnttz

当前它正在生成: http://example.com/signin-facebook 用于redirect_uri，但是我想使用HTTPS URL将用户重定向到.

Currently it is generating: http://example.com/signin-facebook for the redirect_uri, but I'd like a HTTPS URL to redirect the user to.

是否可以将其配置为生成HTTPS URL?

Is there a way to configure it to generate a HTTPS URL?

这与包Microsoft.Owin.Security和Microsoft.Owin.Security.Facebook有关.

This relates to packages Microsoft.Owin.Security and Microsoft.Owin.Security.Facebook.

目前，我的OwinStart看起来像这样:

Currently my OwinStart looks like this:

public class OwinStart
{
    public void Configuration(IAppBuilder app)
    {
            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Welcome")
            });

            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Configure Facebook authentication
            app.UseFacebookAuthentication(new FacebookAuthenticationOptions
            {
                AppId = ConfigurationManager.AppSettings["FacebookAppId"],
                AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
            });
    }
}

此外，在FacebookAuthenticationOptions类或Challenge()方法中似乎没有一种强制HTTP的方法来促使重定向到Facebook:

Also, there doesn't appear to be a way of Forcing HTTP within the FacebookAuthenticationOptions class or from the Challenge() method that instigates the redirect to Facebook:

internal class ChallengeResult : HttpUnauthorizedResult
{
    // TODO: Specify an XsrfKey?
    private const string XsrfKey = "SomethingHere";

    public ChallengeResult(string provider, string redirectUri)
        : this(provider, redirectUri, null)
    {
    }

    public ChallengeResult(string provider, string redirectUri, string userId)
    {
        this.LoginProvider = provider;
        this.RedirectUri = redirectUri;
        this.UserId = userId;
    }

    public string LoginProvider { get; set; }
    public string RedirectUri { get; set; }
    public string UserId { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        var properties = new AuthenticationProperties { RedirectUri = this.RedirectUri };

        if (this.UserId != null)
        {
            properties.Dictionary[XsrfKey] = this.UserId;
        }

        context.HttpContext.GetOwinContext().Authentication.Challenge(properties, this.LoginProvider);
    }
}

推荐答案

感谢Microsoft的Chris Ross的帮助，我能够通过

Thanks to help from Chris Ross at Microsoft, I was able to get an answer to this question by raising the issue on Github.

Microsoft.Owin.Security Nuget程序包似乎根据当前请求上下文生成了request_uri，它指示Facebook使用.

It appears that the Microsoft.Owin.Security Nuget package generates the request_uri that it instructs Facebook to use based on the current request context.

就我而言，我正在通过HTTP(而不是HTTPS)运行我的所有服务器，并且负载平衡器正在为我处理所有HTTPS内容. IE.负载均衡器正在切断SSL连接.

In my case, I was running all of my servers over HTTP (not HTTPS) and the load balancer was handling all of the HTTPS stuff for me. IE. The load balancer was severing the SSL connection.

确保程序包生成HTTPS的方法是在OwinStart配置方法中采用基于从负载均衡器转发的x-forwarded-proto标头的中间件，如下所示:

The way to ensure that the package generates a HTTPS is to employ middleware in the OwinStart Configuration method that is based on the x-forwarded-proto header that is forwarded from the load balancer, like so:

app.Use((context, next) =>
{
  if (context.Request.Headers["x-forwarded-proto"] == "https")
  {
    context.Request.Scheme = "https";
  }
  return next();
});
// Use Cookies
// Use Facebook

所以我的OwinStart现在看起来像这样:

So my OwinStart looks like this now:

public class OwinStart
{
    public void Configuration(IAppBuilder app)
    {
        app.Use((context, next) =>
        {
            if (context.Request.Headers["x-forwarded-proto"] == "https")
            {
              context.Request.Scheme = "https";
            }
            return next();
        });

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Welcome")
        });

        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Configure Facebook authentication
        app.UseFacebookAuthentication(new FacebookAuthenticationOptions
        {
            AppId = ConfigurationManager.AppSettings["FacebookAppId"],
            AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
        });
    }
}

这篇关于建议使用HTTPS的Facebook登录名-如何在ASP.NET MVC中为Facebook登录名配置HTTP重定向URL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！