如何让 Azure OIDC 尊重我的重定向 URI? [英] How to get Azure OIDC to respect my redirect URI?

问题描述

我有一个应用托管在 Azure PaaS 上，使用 Open ID Connect 进行身份验证.

I have an app hosted on Azure PaaS using Open ID Connect for auth.

应用 URL 类似于:https://env.app.entity.my.domain
Azure ASE 是:https://entity-app-env-web.webenvase.my.domain

The app URL is like: https://env.app.entity.my.domain
The Azure ASE is: https://entity-app-env-web.webenvase.my.domain

只要我为 https://配置重定向 URIentity-app-env-web.webenvase.my.domain/signin-oidc 在 Azure 中，它可以工作.那是因为它忽略了我设置中的重定向 URI.但这不是我想要的.我显然希望将用户返回到应用程序的 URL.

As long as I configure a redirect URI for https://entity-app-env-web.webenvase.my.domain/signin-oidc in Azure, it works. That's because it's ignoring the redirect URI in my settings. But that's not what I want. I will obviously want to return the user to the app's URL.

无论我为 RedirectUri 或 CallbackPath 设置什么值，它都默认为 ASE URL.我该如何解决?

No matter what values I put for my RedirectUri or CallbackPath, it defaults to the ASE URL. How can I fix that?

appsettings.json:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Issuer": "https://sts.windows.net/<tenant id>/",
  "Domain": "my.azure.domain",
  "TenantId": "<tenant id>",
  "ClientId": "<client id>",
  "RedirectUri": "https://env.app.entity.my.domain/signin-oidc"
}

Startup.cs(认证配置):

services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireRole(Role.Administrator)
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
})
.AddMicrosoftIdentityUI();

推荐答案

我从这个answer 和其他地方，重定向 uri 是自动计算的，不使用配置中的值.配置中的一个将在某些情况下使用，但不会用于对 Azure 的身份验证调用.

I found from this answer and elsewhere that the redirect uri is automatically calculated not using the value from the configs. The one in the configs will be used in some cases but not for the auth call to Azure.

经过一段时间的摸索后，我们的服务器团队开始删除 f5 上的规则，我们发现问题在于我们其他应用程序的典型标头重写规则.具体来说，它导致 auth cookie 在重定向期间被浏览器拒绝和剥离.

After monkeying around with it for some time our server team started removing rules on the f5 and we found that the header rewrite rule that is typical for our other apps was the issue. Specifically, it was causing the auth cookie to be rejected and stripped at the browser during redirection.

我们删除了规则，一切又恢复了.

We removed the rule and all is well again.

这篇关于如何让 Azure OIDC 尊重我的重定向 URI?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！