为什么不要求转换减少cookie的大小? [英] Why doesn't claims transformation reduce the cookie size?

问题描述

我正在使用Azure AD(.net core 2.1)，并注册了我的应用程序并将其配置为将AD组作为声明返回.我还使用声明转换来删除除我的应用程序使用的三个组以外的所有组声明，这成功消除了100个以上的组.我这样做是希望它可以减少后续请求标头中cookie的大小，但事实并非如此.

I am using Azure AD (.net core 2.1) and have registered my app and configured it to return AD groups as claims. I am also using claims transformation to remove all group claims other than the three groups that my app uses, which successfully eliminates over 100 groups. I did this hoping that it would reduce the size of the cookie in subsequent request headers, but this does not appear to be the case.

无论我是否使用Claims转换，cookie的大小都是相同的:

Whether I use the claims transformation or not, the cookie size is the same:

我知道Claims转换是有效的，因为我有一个简单的页面，它在列表中迭代了Claims，并且当我安装了过滤器时，它只能正确显示三个组.

I know that the claims transformation is working, because I have a simple page that iterates the claims in a list, and it correctly shows only the three groups when I have the filter in place.

由于Cookie较大，我收到HTTP 400-请求时间过长.我可以通过修改Web服务器上的注册表来解决此问题(如其他建议

As a result of the large cookie, I am getting HTTP 400 - Request too long. I can work around this by modifying the registry on the web server (as suggested elsewhere https://support.microsoft.com/en-us/help/2020943/http-400-bad-request-request-header-too-long-response-to-http-request), but my real question is what is the point of filtering the claims if the size of the cookie remains unchanged?

我也想知道是否存在可以用来增加最大标头大小的应用程序设置，以避免必须修改注册表.

I would also be interested to know if there is an app setting that I could use to increase the max header size, to avoid having to modify the registry.

我不确定代码在这里是否真的相关，但是这里有一些片段:

I'm not sure if the code is really relevant here, but here are a few snippets:

public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
        var identity = principal.Identity as ClaimsIdentity;
        if (identity != null)
        {
            var unused = identity.FindAll(GroupsToRemove).ToList();
            unused.ForEach(c => identity.TryRemoveClaim(c));
        }
        return Task.FromResult(principal);
}

该过滤器已在Startup.cs中注册为单例:

The filter is registered as a singleton in Startup.cs:

services.AddSingleton<IClaimsTransformation, FilterGroupClaimsTransformation>();

推荐答案

Brad回答了有关为什么Cookie大小没有通过使用Claims转换而改变的问题.这是我用来减少Cookie大小的代码，这要归功于他的建议:

Brad answered the question as to why the cookie size did not change by using claims transformation. Here is the code I used to reduce the cookie size, thanks to his suggestion:

在Startup.cs中，ConfigureServices()...

In Startup.cs, ConfigureServices()...

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(...)
       .AddCookie(options => options.Events.OnSigningIn = FilterGroupClaims);
}

private static Task<ClaimsPrincipal> FilterGroupClaims(CookieSigningInContext context)
{
    var principal = context.Principal;
    if (principal.Identity is ClaimsIdentity identity)
    {
        var unused = identity.FindAll(GroupsToRemove).ToList();
        unused.ForEach(c => identity.TryRemoveClaim(c));
    }
    return Task.FromResult(principal);
}

private static bool GroupsToRemove(Claim claim)
{
    string[] _groupObjectIds = new string[] { };    // pull from config or whereever
    return claim.Type == "groups" && !_groupObjectIds.Contains(claim.Value);
}

对于我的最终解决方案，我将静态方法移到了另一个类中，但是为了简洁起见，我将所有内容都保留在此内联. 使用此方法，Cookie的大小从6个块减少到2个.

For my end solution, I moved the static methods inside another class, but I kept everything inline here for brevity. Cookie size reduced from 6 chunks to 2 with this method.

这篇关于为什么不要求转换减少cookie的大小?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！