Identity Server 4登录后重定向仅在Chrome中不起作用 [英] Identity server 4 post login redirect not working in chrome only
问题描述
.NET Core 2.2上的IdentityServer4也有类似的问题.您的问题可能与新的浏览器版本(例如Chrome或Firefox)中的重大更改有关:
对我来说,可行的解决方案是完全关闭cookie的 SameSite 配置. .NET Core 2.2的这种可能性在此处进行了描述:
https://docs.microsoft. com/en-us/aspnet/core/security/samesite?view = aspnetcore-3.1
((如果您的解决方案在.NET Core 3.1上,则在下面的代码中,而不是使用(SameSiteMode)(-1),您应该使用 SameSiteMode.Unspecified )
FIX: 在 IdentityServerBuilder 创建后的 ConfigureServices 方法中的 Startup.cs 文件中...
var builder = services.AddIdentityServer(options =>
{....});
...我添加了以下配置更改:
builder.Services.ConfigureExternalCookie(options => {
options.Cookie.IsEssential = true;
options.Cookie.SameSite = (SameSiteMode)(-1); //SameSiteMode.Unspecified in .NET Core 3.1
});
builder.Services.ConfigureApplicationCookie(options => {
options.Cookie.IsEssential = true;
options.Cookie.SameSite = (SameSiteMode)(-1); //SameSiteMode.Unspecified in .NET Core 3.1
});
i use identity server 4 let call it "auth-server" run on .net core 3.1. there is angular app request authentication after redirected to auth-server and provide credentials submiting the login it's not redirect back to client app. the issue is only in chrome browser (firefox & edge works fine) i can see the redirect request - Request-Url but it just go back to login page Client congig:
public static IEnumerable<Client> GetClients()
{
return new List<Client>(){
new Client() {
RequireConsent =false,
RequireClientSecret = false,
ClientId = "takbull-clientapp-dev",
ClientName = "Takbull Client",
AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.Profile,
"takbull",
"takbull.api"
},
// where to redirect to after login
RedirectUris = new List<string>()
{
"http://localhost:4200/auth-callback/",
"http://localhost:4200/silent-refresh.html",
},
//TODO: Add Production URL
// where to redirect to after logout
PostLogoutRedirectUris =new List<string>()
{
"http://localhost:4200"
},
AllowedCorsOrigins = {"http://localhost:4200"},
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime = 3600,
AlwaysIncludeUserClaimsInIdToken = true
},
};
}
Login Code:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginInputModel model, string button)
{
// check if we are in the context of an authorization request
var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
// the user clicked the "cancel" button
if (button != "login")
{
if (context != null)
{
// if the user cancels, send a result back into IdentityServer as if they
// denied the consent (even if this client does not require consent).
// this will send back an access denied OIDC error response to the client.
await _interaction.GrantConsentAsync(context, ConsentResponse.Denied);
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return View("Redirect", new RedirectViewModel { RedirectUrl = model.ReturnUrl });
}
return Redirect(model.ReturnUrl);
}
else
{
// since we don't have a valid context, then we just go back to the home page
return Redirect("~/");
}
}
if (ModelState.IsValid)
{
// validate username/password against in-memory store
var ValidResp = await _users.ValidateCredentials(model.Username, model.Password);
if (ValidResp.LogInStatus == LogInStatus.Success)
{
var user = _users.FindByUsername(model.Username);
//await _events.RaiseAsync(new UserLoginSuccessEvent(user.Username, user.SubjectId, user.Username));
await _events.RaiseAsync(new UserLoginSuccessEvent(user.Email, user.UserId.ToString(), user.Email));
// only set explicit expiration here if user chooses "remember me".
// otherwise we rely upon expiration configured in cookie middleware.
AuthenticationProperties props = null;
if (AccountOptions.AllowRememberLogin && model.RememberLogin)
{
props = new AuthenticationProperties
{
IsPersistent = true,
ExpiresUtc = DateTimeOffset.Now.Add(AccountOptions.RememberMeLoginDuration)
};
};
// issue authentication cookie with subject ID and username
//await HttpContext.SignInAsync(user.SubjectId, user.Username, props);
// issue authentication cookie with subject ID and username
await HttpContext.SignInAsync(user.UserId.ToString(), user.FirstName + " " + user.LastName, props, _users.GetClaims(user).ToArray());
if (context != null)
{
if (await _clientStore.IsPkceClientAsync(context.ClientId))
{
// if the client is PKCE then we assume it's native, so this change in how to
// return the response is for better UX for the end user.
return View("Redirect", new RedirectViewModel { RedirectUrl = model.ReturnUrl });
}
// we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null
return Redirect(model.ReturnUrl);
}
// request for a local page
if (Url.IsLocalUrl(model.ReturnUrl))
{
return Redirect(model.ReturnUrl);
}
else if (string.IsNullOrEmpty(model.ReturnUrl))
{
return Redirect("~/");
}
else
{
// user might have clicked on a malicious link - should be logged
throw new Exception("invalid return URL");
}
}
await _events.RaiseAsync(new UserLoginFailureEvent(model.Username, ValidResp.ResponseDescription));
ModelState.AddModelError(string.Empty, ValidResp.ResponseDescription);
}
// something went wrong, show form with error
var vm = await BuildLoginViewModelAsync(model);
return View(vm);
}
I had a similar issue with IdentityServer4 on .NET Core 2.2. Your problem might be connected with those breaking changes in new browsers versions like Chrome or Firefox:
For me the working solution was to turn off the SameSite configuration for cookies at all. Such possibility for .NET Core 2.2 is described here:
https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
(if your solution is on .NET Core 3.1 then in code below, instead using (SameSiteMode)(-1) you should use SameSiteMode.Unspecified)
FIX: in Startup.cs file in ConfigureServices method, right after IdentityServerBuilder is created...
var builder = services.AddIdentityServer(options =>
{....});
...I've added the following configuration change:
builder.Services.ConfigureExternalCookie(options => {
options.Cookie.IsEssential = true;
options.Cookie.SameSite = (SameSiteMode)(-1); //SameSiteMode.Unspecified in .NET Core 3.1
});
builder.Services.ConfigureApplicationCookie(options => {
options.Cookie.IsEssential = true;
options.Cookie.SameSite = (SameSiteMode)(-1); //SameSiteMode.Unspecified in .NET Core 3.1
});
这篇关于Identity Server 4登录后重定向仅在Chrome中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
