身份服务器一直显示“正在显示登录名:用户未通过身份验证".在/connect/authorize/callback中 [英] Identity server is keep showing "Showing login: User is not authenticated" in /connect/authorize/callback

问题描述

使用IdentityServer4，我正在现有系统上实现代码流授权，该系统仅支持IdentityServer中的ResourceOwnerPassword授予类型，并且运行良好.

Using IdentityServer4, I'm implementing Code flow authorization on an existing system which supports only ResourceOwnerPassword grant type in IdentityServer and works well.

我进入了一个阶段，其中提升了用户的身份验证，然后将其重定向到server connect/authorize/callback

I got into a stage where the user is promoted to authenticate, then redirected to server connect/authorize/callback

此后，它不进行身份验证并返回登录页面.从日志中，我得到以下信息:

After that it is not authenticating and coming back to the login page. From the log, I got the following:

调用IdentityServer端点:/connect/authorize/callback的IdentityServer4.Endpoints.AuthorizeCallbackEndpoint

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback

ValidatedAuthorizeRequest

ValidatedAuthorizeRequest

{
"ClientId": "demo",
"ClientName": "MVC Client Demo",
"RedirectUri": "http://localhost:5002/signin-oidc",
"AllowedRedirectUris": ["http://openidclientdemo.com:8001/signin-oidc",
"http://localhost:5002/signin-oidc"],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile default-api",
"State": "CfDJ8DU4Xalc7d9HttaFlZ-UaDhGsjeeEccTfNiNZFz3yYZI9MfXjrXo2TAzT9f6-F2VEdC7bWtcD7HRJgkqrh4t0oTAe_47IBfcm5Fsde9bVRorq-CHcL6_c15Vz1G5LJyEzqX6tyjhcZ2g3J2JjxD1PME1W7sq9YSddhQUJmxt4bVi70wdTtXXp0tH0SKyb0vLCs3eIjOln792nobaFOCM7r3VJ8BfXfpDm2pOOmBlR7zCCBxFCivwj7Zmy5Tu8Z09MvzOaLEkPBSL5i9GyxmGiB0P6osBPYEDyoRfgy2qDigH3QqLmLYjfE6NrgcgIGO9kgXuUT52XgALV_ZKjNbih-Y",
"Nonce": "636702233595840569.NGQ3NGVlODMtYTVhNy00MjM4LWFhNGQtNTFiZTE3ZjllZmUzNjU5MGNmNjktNjg3Yy00YmZlLWEwYWYtYmMzM2QxZmZlNjBk",
"Raw": {
    "client_id": "demo",
    "redirect_uri": "http://localhost:5002/signin-oidc",
    "response_type": "code id_token",
    "scope": "openid profile default-api",
    "response_mode": "form_post",
    "nonce": "636702233595840569.NGQ3NGVlODMtYTVhNy00MjM4LWFhNGQtNTFiZTE3ZjllZmUzNjU5MGNmNjktNjg3Yy00YmZlLWEwYWYtYmMzM2QxZmZlNjBk",
    "state": "CfDJ8DU4Xalc7d9HttaFlZ-UaDhGsjeeEccTfNiNZFz3yYZI9MfXjrXo2TAzT9f6-F2VEdC7bWtcD7HRJgkqrh4t0oTAe_47IBfcm5Fsde9bVRorq-CHcL6_c15Vz1G5LJyEzqX6tyjhcZ2g3J2JjxD1PME1W7sq9YSddhQUJmxt4bVi70wdTtXXp0tH0SKyb0vLCs3eIjOln792nobaFOCM7r3VJ8BfXfpDm2pOOmBlR7zCCBxFCivwj7Zmy5Tu8Z09MvzOaLEkPBSL5i9GyxmGiB0P6osBPYEDyoRfgy2qDigH3QqLmLYjfE6NrgcgIGO9kgXuUT52XgALV_ZKjNbih-Y",
    "x-client-SKU": "ID_NET",
    "x-client-ver": "2.1.4.0",
    "accessToken": "4155a526-2bb1-4d88-ba3a-21cb3a91f266",
    "userId": "MQ=="
}

}

显示登录名:用户未通过身份验证

Showing login: User is not authenticated

---

我不清楚是什么原因导致身份验证失败，知道吗?

---

It is not clear for me what caused the authentication failure, any idea?

推荐答案

TL; DR :使用http + chrome的默认身份服务器不起作用. Chrome强制具有SameSite=none的cookie也具有Secure属性，因此您可能必须使用HTTPS或使用 @打击的答案. 铬博客

TL;DR: default identityserver using http + chrome, doesn't work. Chrome enforces that cookies with SameSite=none have also Secure attribute, so you may have to either use HTTPS, or modify the cookie policy using @blow's answer. Chromium blog

关于单点登录和cookie的一些背景信息，

A bit of context on Single Sign On and cookies,

cookie是服务器在response上发送的信息，浏览器在随后的每个request上发送回信息.

A cookie is a piece of information that a server sends on a response and the browser sends back on every subsequent request.

当您登录到Identityserver时，它将发送回多个cookie，其中一个cookie标识您的会话.将使用属性SameSite=none发送此cookie，这将允许您浏览的任何应用程序向Identityserver发出请求，并将此cookie包括在其中.这样，对/connect/authorize的调用包括此cookie，并且Identityserver跳过登录部分. VoilàSSO .

When you login into identityserver, it sends back multiple cookies, one of them identifies your session. This cookie is being sent with the attribute SameSite=none this allows any application that you browse to make a request to your identityserver and include this cookie with it. This way, the call to /connect/authorize includes this cookie, and identityserver skips the login part. Voilà SSO.

您正在使用Google Chrome吗?

Are you using Google Chrome?

Google Chrome浏览器最近进行了一项更改，其中所有发布的具有属性SameSite=none 的cookie都必须包含Secure属性.

Google Chrome recently introduced a change where all cookies issued with the attribute SameSite=none must include the Secure attribute.

这两个属性表示:

• SameSite :控制将Cookie附加到任何浏览器时浏览器的行为根据来源向您的网站提出的请求.

• SameSite: Controls how the browser will behave when attaching the cookie to any request made to your site, based on the origin.

• SameSite=strict:不会在来自与原始站点不同的站点的请求上发送cookie.这有助于防止 CSRF 攻击.
• SameSite=lax:类似于strict，但是当用户有意启动请求时(通过单击链接或发送表单)，将发送cookie.不会根据脚本启动的请求发送.
• SameSite=none:无论它们来自何处，都将包含cookie.

• SameSite=strict: does not send the cookie on requests made from sites different from the origin. This helps to prevent CSRF attacks.
• SameSite=lax: similar to strict but cookies get sent when the user knowingly starts the request, by clicking a link or sending a form. Not being sent on requests initiated by scripts.
• SameSite=none: the cookies will get included no matter which origin they come from.

安全:表示该Cookie只能通过HTTPS发送.

Secure: Indicates that the cookie has to be sent over HTTPS only.

IdentityServer使用SameSite=none发行这些cookie.这意味着当您在本地不使用HTTPS的情况下为IdentityServer提供服务并且使用chrome作为浏览器时，它将无法登录，因为在您将用户POST到服务器后，密码，响应将包含会话cookie，但您的浏览器(chrome)将拒绝它，因为它们未标记为secure，而是标记为SameSite=none，

IdentityServer issues those cookies with SameSite=none. This means that when you're serving IdentityServer without HTTPS on local, and using chrome as browser, it won't log you in, because after you POST to the server your user & password, the response will include the session cookie but your browser (chrome) will refuse it because they're not marked as secure but, marked as SameSite=none, and this combination is not allowed.

这篇关于身份服务器一直显示“正在显示登录名:用户未通过身份验证".在/connect/authorize/callback中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！