MVC5 Azure AD IDX21323 [英] MVC5 Azure AD IDX21323
问题描述
我的Azure Free订阅已过期.此后,我已被添加到公司的Azure订阅中,但是我无法再通过AD将OSO和SSO一起使用.
VS2017报告0个订阅,并且当我转到管理"时,列出了我的订阅,但是我无法启用它服务器资源管理器不支持此订阅."
我假设此时我需要对公司Azure订阅进行一些更新,但是我不知道就订阅更新需要向管理层提出什么要求.
在我的免费订阅用完之前,此操作无懈可击.
我已经尝试了以下SO问题:
使用Kentor.OwinCookieSaver: IDX21323 OpenIdConnectProtocolValidationContext.Nonce为空,OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce不为空
我尝试了以下Microsoft Doc: https://docs.microsoft.com/zh-CN/azure/active-directory/develop/vs-active-directory-add-connected-service
我创建了一个新的MVC5项目,并添加了具有相同结果的Azure AD连接服务.
我还清除了cookie,并在VS2017中执行了清理".
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri
});
}
这是我的例外: "/"应用程序中的服务器错误.
IDX21323:RequireNonce为"[PII隐藏]". OpenIdConnectProtocolValidationContext.Nonce为空,OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce不为空.随机数无法验证.如果不需要检查随机数,请将OpenIdConnectProtocolValidator.RequireNonce设置为'false'.请注意,如果找到一个"nonce",它将被评估.
*更新*
我也尝试过此方法,我认为我已确定了问题的一部分,但我仍然没有解决方案...
来自以上链接中的源代码: 方法调用:MyOpenIDConnectAuthenticationHandler.RetrieveNonce(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage消息)
行: 字符串nonceCookie = Request.Cookies [nonceKey]; OwinRequest.Cookies为空...
我也将所有Owin软件包从4.0版本更新到了4.1版本.
当对应用程序的请求中不包含随机数cookie时,会发生上述错误.您可以使用以下指令捕获包含错误的Fiddler跟踪./p>
http://blogs. aaddevsup.xyz/2018/09/12/capture-https-traffic-with-http-fiddler/
另外尝试以下操作:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
{
if (authFailed.Exception.Message.Contains("IDX21323"))
{
authFailed.HandleResponse();
authFailed.OwinContext.Authentication.Challenge();
}
await Task.FromResult(true);
}
}
});
其他参考:
希望有帮助.
My Azure Free subscription has expired. I've since been added to my companies Azure subscription but I can no longer use SSO with Oauth2 using AD.
VS2017 reports 0 subscriptions and when I go to Manage my subscription is listed, but I cannot enable it "This subscription is not supported by server explorer."
I'm assuming that I need to update something on our companies Azure subscription at this point, but I don't know what to request from management as far as subscription updates.
This worked flawlessly before my free subscription ran out.
I've tried the following SO questions:
Use Kentor.OwinCookieSaver: IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Paylocad.Nonce was not null
I've tried the following Microsoft Doc: https://docs.microsoft.com/en-us/azure/active-directory/develop/vs-active-directory-add-connected-service
I created a new MVC5 project and added the azure AD connected service with the same result.
I also cleared my cookies, and performed a "Clean" in VS2017.
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri
});
}
Here is my exception: Server Error in '/' Application.
IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
* UPDATE *
I also tried this, and I think I identified part of the issue, but I still don't have a solution...
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect/wiki/The-'nonce'-found-in-the-jwt-token-did-not-match-the-expected-nonce
From the source code in the above link: Method Call: MyOpenIDConnectAuthenticationHandler.RetrieveNonce(Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage message)
Line: string nonceCookie = Request.Cookies[nonceKey]; OwinRequest.Cookies is empty...
I also updated all of my Owin Packages from version 4.0 to 4.1 with no change.
The error above happens when the request to the application does not contain the nonce cookie.You can use the instruction below to capture a Fiddler trace containing the error.
http://blogs.aaddevsup.xyz/2018/09/12/capture-https-traffic-with-http-fiddler/
Additionally try something like below:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = AuthenticationFailedNotification<OpenIdConnect.OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> authFailed =>
{
if (authFailed.Exception.Message.Contains("IDX21323"))
{
authFailed.HandleResponse();
authFailed.OwinContext.Authentication.Challenge();
}
await Task.FromResult(true);
}
}
});
Additional reference:
Hope it helps.
这篇关于MVC5 Azure AD IDX21323的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
