当ADFS身份验证的会话到期时，XHR请求失败 [英] XHR requests fail when an ADFS authenticated session expires

问题描述

我们有一个站点，该站点依赖于使用Active Directory联合身份验证服务（ADFS）和WSFederationAuthenticationModule的联合身份验证。

We have a site which relies on federated authentication using Active Directory Federation Services (ADFS) and WSFederationAuthenticationModule.

该站点还使用了一组向用户触发的XHR请求相互作用。一个特定的示例是允许用户模仿其他用户的下拉菜单。另一个是网站范围内搜索页面上的构面功能。

The site also employs a set of XHR requests fired upon user interaction. One particular example is a drop-down menu which allows the user to impersonate other users. Another one is the faceting functionality on a site-wide search page.

问题是，当用户在页面上保持不活动状态一定时间后，会话将终止。例如，在普通的HTTP请求中，当用户单击链接时，这不是问题。会话期满后，用户将被重定向到STS，并迅速再次返回，而用户却没有注意到-这发生得足够快。

The problem is that the session expires when a user stays inactive on a page for certain amount of time. In normal HTTP requests when user clicks on a link, for example, this is not a problem. Upon session expiration the user is redirected to the STS and promptly back again without the user ever noticing - it's happens quickly enough.

但是XHR请求失败。控制台中的实际错误消息是：

But XHR requests fail. The actual error message in the console is:

XMLHttpRequest cannot load https://adfs.contoso.com/adfs/ls/... 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'https://www.example.com' is therefore not allowed access.

似乎XHR请求无法重定向到STS，然后像发生的那样随后重定向回依赖方带有常规HTTP请求，因为这会导致CORS问题。

It seems that the XHR request cannot redirect to the STS and subsequently back to the relying party like it happens with a regular HTTP request as this causes a CORS problem.

这自然会依赖特定的javascript破坏页面上的所有元素。用户解决此问题的唯一方法是在出现问题时刷新页面。

This naturally breaks all elements on the page relying on particular javascript. The only way for the user to work around this is to refresh the page when the problem occurs.

解决此问题的正确方法是什么？

What would be the correct way to solve this?

推荐答案

唯一适用于我的解决方案是Pinpont在此答案中提供的解决方案：https://stackoverflow.com/a/28631956/6299975

The only solution that worked for me, was the one provided by Pinpont in this answer : https://stackoverflow.com/a/28631956/6299975

这就是我为实现滑动过期所做的。

That is what I did to implement sliding expiration.

app.UseCookieAuthentication(new CookieAuthenticationOptions() 
{ 
    SlidingExpiration = false 
});
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
   {
      MetadataAddress = xxxxxxx,
      Wtrealm = xxxxxx,
      UseTokenLifetime = false,
   }

）;

SlidingExpiration = false 在CookieAuthenticationOptions中

SlidingExpiration = false in CookieAuthenticationOptions

在WsFederationAuthenticationOptions中UseTokenLifetime = false

这篇关于当ADFS身份验证的会话到期时，XHR请求失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！