Identity Server 3-Ajax呼叫上的401而不是302 [英] Identity Server 3 - 401 on Ajax Calls instead of 302

问题描述

我有一个Web api/mvc混合应用程序，并且已将其配置为使用cookie身份验证.这对于应用程序的mvc部分工作正常. Web API会强制执行授权，但不是返回401 - Unauthorised，而是返回302 - Found并重定向到登录页面.我宁愿它返回401.我试图挂接到CookieAuthenticationProvider.OnApplyRedirect委托中，但这似乎没有被调用.我错过了什么?我当前的设置如下:

I have a web api / mvc hybrid app and I have configured it to use cookie authentication. This works fine for the mvc portion of the application. The web api does enforce the authorization, but instead of returning a 401 - Unauthorised it returns a 302 - Found and redirects to the login page. I would rather it returns a 401. I have attempted to hook into the CookieAuthenticationProvider.OnApplyRedirect delegate, but this doesn't seem to be called. What have I missed? My current setup is below:

AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    ExpireTimeSpan = TimeSpan.FromMinutes(20),
    SlidingExpiration = true,
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.Never, //local non ssl-dev only
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx =>
        {
            if (!IsAjaxRequest(ctx.Request))
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }
        }
    }
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = IdentityConfig.Authority,
    ClientId = IdentityConfig.SoftwareClientId,
    Scope = "openid profile roles",
    RedirectUri = IdentityConfig.RedirectUri,
    ResponseType = "id_token",
    SignInAsAuthenticationType = "Cookies"
});

推荐答案

在您的示例中，UseCookieAuthentication不再对此进行控制，而UseOpenIdConnectAuthentication则进行了控制.这涉及使用Notifications属性并拦截OpenID Connect身份验证请求.

In your example the UseCookieAuthentication no longer controls this, instead the UseOpenIdConnectAuthentication does. This involves using the Notifications property and intercepting OpenID Connect authentication requests.

尝试以下方法以获取灵感:

Try out the following for inspiration:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = IdentityConfig.Authority,
    ClientId = IdentityConfig.SoftwareClientId,
    Scope = "openid profile roles",
    RedirectUri = IdentityConfig.RedirectUri,
    ResponseType = "id_token",
    SignInAsAuthenticationType = "Cookies",
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        RedirectToIdentityProvider = notification =>
        {
            if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
            {
                if (IsAjaxRequest(notification.Request) && notification.Response.StatusCode == (int)HttpStatusCode.Unauthorized)
                {
                    notification.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    notification.HandleResponse();
                    return Task.FromResult(0);
                }
            }
            return Task.FromResult(0);
        }
    }
});

这篇关于Identity Server 3-Ajax呼叫上的401而不是302的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！