iframe不会尊重登录Cookie [英] Iframe wont respect login cookies

问题描述

我有一个非常奇怪的问题，我已经尝试调试了一个多星期。我对可能出现的问题一无所知。我希望这里的某个人以前可能也遇到过同样的问题，并且能够让我知道问题可能是什么以及如何解决。

I have a very strange issue that i have been trying to debug for more then a week now. I am out of ideas as to what the problem could be. I am hoping someone here may have run into this same problem before and be able to give me an idea what the issue could be and how to fix it.

asp .net core 2.0应用程序。独立托管时运行良好。

I a asp .net core 2.0 application. It runs fine when hosted stand alone.

1. 主控制器需要身份验证。


2. 登录到身份服务器4。（混合授权类型）
   
3. 返回到应用程序以获取数据并显示。

现在，当我尝试将该应用程序添加为主应用程序中的插件不起作用。它实际上循环。插件显示在iFrame的主应用程序中。

Now when i try and add this application as a plugin in the main application it doesnt work. It actually loops around. Plugins are displayed in the main application in an iFrame.

<iframe src="https://XXXXX" sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox" width="500" height="500"></iframe>

观看日志。

OnSignedIn: IsAuthenticated = True

我可以看到该插件具有访问令牌。然后循环开始。它回到身份服务器再次请求访问，并且整个过程持续不断。

I can see that the plugin has an access token. Then the loop starts. It goes back to the identity server asks for access again and the whole thing continues endlessly.

我看到的是独立运行和作为插件运行之间的区别是日志中缺少行

What i can see that is diffrent between running standalone and running as a plugin is this line is missing in the log

Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10]
AuthenticationScheme: Cookies signed in.

我还可以在请求的标头中看到身份服务器返回cookie标头，告诉它执行setcookie但从未设置。

I can also see in the headers on the requests that the Identity server returns the cookie headers and tells it to do a setcookie but it is never set.

为什么在iframe中未设置cookie？

Why is the cookie not set when in an Iframe?

我尝试过的东西

 options.Cookie.SameSite = SameSiteMode.Lax;
 options.Cookie.SecurePolicy = CookieSecurePolicy.None;

Content-Security-Policy标头包括身份服务器，插件站点和主要Web应用程序站点。

Content-Security-Policy headers includes both the identity server, the plugin site and the main web application sites.

为什么不设置cookie？

Why isnt the cookie being set?

 services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";


            })
            .AddCookie("Cookies", options =>
            {
                options.Cookie.SameSite = SameSiteMode.Lax;
                options.Cookie.SecurePolicy = CookieSecurePolicy.None;
                options.SessionStore = new MemoryCacheTicketStore();                   
            })
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = Configuration["ServiceSettings:IdentityServerEndpoint"];
                options.RequireHttpsMetadata = false;

                options.ClientId = Configuration["ServiceSettings:ClientId"];
                options.ClientSecret = Configuration["ServiceSettings:secret"];
                options.ResponseType = "code id_token";

                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;

                options.Scope.Add("profile");
                options.Scope.Add("testapi");

            });
    }

标题

headers

 app.Use(async (ctx, next) =>
        {
            ctx.Response.Headers.Add("Content-Security-Policy", Configuration["DefaultApplicationSettings:ContentSecurityPolicy"]);

            await next();
        });

设置

settings

 "DefaultApplicationSettings": {
"ContentSecurityPolicy": "default-src 'self' plugin webapp; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ webapp; font-src 'self' https://fonts.gstatic.com/ webapp; frame-ancestors 'self' webapp"  },

由于公司隐私而更改了网址。

Urls changed due to company privacy.

推荐答案

经过大量搜索，我的一个经纪人发现了一个在身份服务器4源代码中注释

After a lot of searching one of my cowkers found a comment in the identity server 4 source code

IdentityServerBuilderExtensions.cs

 // we need to disable to allow iframe for authorize requests
 cookie.Cookie.SameSite = AspNetCore.Http.SameSiteMode.None;

我一经更改

options.Cookie.SameSite = SameSiteMode.Lax;

至

options.Cookie.SameSite = SameSiteMode.None;

它起作用了。

指示浏览器是应仅允许将cookie附加到同一站点请求（ SameSiteMode.Strict ）还是使用安全HTTP方法和相同的跨站点请求网站请求（ SameSiteMode.Lax ）。设置为 SameSiteMode.None 时，未设置cookie标头值。请注意，Cookie Policy Middleware可能会覆盖您提供的值。为了支持OAuth身份验证，默认值为SameSiteMode.Lax。有关更多信息，请参见由于SameSite cookie策略而导致OAuth身份验证失败。

Indicates whether the browser should allow the cookie to be attached to same-site requests only (SameSiteMode.Strict) or cross-site requests using safe HTTP methods and same-site requests (SameSiteMode.Lax). When set to SameSiteMode.None, the cookie header value isn't set. Note that Cookie Policy Middleware might overwrite the value that you provide. To support OAuth authentication, the default value is SameSiteMode.Lax. For more information, see OAuth authentication broken due to SameSite cookie policy.

为什么这还行得通，但是我仍然不清楚。

Why this works i am still not clear but it it works.

这篇关于iframe不会尊重登录Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！