如何使用.Net Core在Azure中的应用之间共享Cookie身份验证？ [英] How can I share Cookie Authentication across apps in Azure with .Net Core?

问题描述

我在此上至少损失了2个完整工作日，并尝试了许多方法来实现这一目标而没有成功。

I've lost at least 2 full working days on this and have tried numerous ways to achieve this without success.

这种情况是这样的：我将2个应用程序部署到Azure，假设它们是 backoffice.website.com 和 frontoffice.website.com 。两者都是2个单独的Azure Web应用程序。登录到 backoffice.website.com 的用户应该可以转到在 frontoffice.website.com <<上登录的用户列表。 / code>并选择要模拟的用户，这会将他们重定向到 frontoffice.website.com ，并以所选用户身份登录。

The scenario is like this: I have 2 applications deployed to Azure, let's say they are backoffice.website.com and frontoffice.website.com. Both are 2 separate Azure web apps. A user who logs in to backoffice.website.com should be able to go to a list of users that have logins at frontoffice.website.com and select a user to impersonate, which would redirect them to frontoffice.website.com, logged in as the selected user.

两个网站都在Azure中使用相同的数据库并共享相同的 DbContext （两个项目都位于相同的解决方案中Visual Studio和两者都引用相同的数据访问层，这两个应用程序都指向数据库（两个应用程序都使用相同的.Net Core Identity设置和表）

Both websites use the same database in Azure and share the same DbContext (both projects live in the same solutions in Visual Studio and both reference the same data access layer, which points to the database for both applications (both applications use the same .Net Core Identity setup and tables)

现在，根据文章此处。

您应该能够设置 Startup.ConfigureServices 方法看起来像这样：

You should be able to set up Startup.ConfigureServices method to look something like this:

app.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
   options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
   var protectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"c:\shared-auth-ticket-keys\"));
   options.Cookies.ApplicationCookie.DataProtectionProvider = protectionProvider;
   options.Cookies.ApplicationCookie.TicketDataFormat = new TicketDataFormat(protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2"));
});

这可以在本地使用IIS Express进行工作，但是在Azure中，除了Azure帐户中的所有应用程序都可以共享的应用程序（我知道，是的，我知道它们还有其他文件共享选项，但我们现在要解决）。

And this works, locally using IIS Express, but in Azure, there is no directory access outside of the application that all applications in an Azure account can share (that I know of, and yes, I know they have other options for file sharing, but we'll get to that now).

由于我们无法使用目录将具有两个应用程序之间所需共享密钥的文件放置在Azure的目录中，所以

Since we can't use a directory to place the file that has the shared key needed between 2 applications in a directory in Azure,

文章此处 ，这导致在Azure中创建一个Blob容器来存储密钥，以便我希望在Azure中创建和托管的所有应用都可以从存储中访问密钥。

We refer to this article here, which leads to creating a Blob container in Azure to store the key in so that any and all apps I desire to create and host in Azure can access the key from the store.

使用第一篇参考文章和第二篇参考书中的内容，代码现在看起来像这样（将所有内容设置在 Startup.ConfigureServices 方法中以进行读取） lity）：

Using bits from the first referenced article and the 2nd, the code now looks something like this (set all in the Startup.ConfigureServices method for readability):

var storageAccount = new CloudStorageAccount(
            new StorageCredentials("blob", "SASKeyHere"),
            new StorageUri(new Uri("https://endpoint.blob.core.windows.net/")),
            null,
            null,
            null
        );

var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("container");
container.CreateIfNotExistsAsync().GetAwaiter().GetResult();

var serviceCollection = new ServiceCollection();
serviceCollection.AddDataProtection().PersistKeysToAzureBlobStorage(container, "fileName.xml");
 var service2 = serviceCollection.BuildServiceProvider();

 var dataProtector = service2.GetRequiredService<IDataProtectionProvider>();

 // Add framework services.
 services.AddDbContext<DbContext>(options => options
            .UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

 services.AddIdentity<ApplicationUser, IdentityRole>(options =>
            {
                options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
                var protectionProvider = dataProtector;
                options.Cookies.ApplicationCookie.DataProtectionProvider = protectionProvider;

                options.Cookies.ApplicationCookie.TicketDataFormat = new TicketDataFormat(protectionProvider.CreateProtector("Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2"));
            })
            .AddEntityFrameworkStores<DbContext>()
            .AddDefaultTokenProviders();

这也可以在本地使用！该代码在两个应用程序的 ConfigureServices 方法中，并允许在两个应用程序之间读取cookie，但是一旦部署，将无法正常工作！

This ALSO works locally! This code is in the ConfigureServices method for both applications and lets the cookies be read across both applications, But once deployed, does not work!

有人能做到这一点或类似的东西吗？！

Has anyone been able to achieve this or something similar?!

推荐答案

这很可能是因为cookie没有交叉默认情况下是子域。

It's likely because cookies are not cross subdomain by default.

您可以尝试将您的根域添加为cookie域吗（这可能是一个配置设置，因此它也可以在本地使用！）

Can you try adding your root domain as the cookie domain (This will likely need to be a configuration setting so it works locally too!)

app.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
    options.Cookies.ApplicationCookie.CookieDomain = ".mydomain.com";
}

这篇关于如何使用.Net Core在Azure中的应用之间共享Cookie身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！