ASP.NET 和 OWIN Cookies Azure Open ID 不起作用 [英] ASP.NET and OWIN Cookies Azure Open ID is not working

问题描述

我尝试使用 OpenID 连接 Azure AD，并且使用教程中的确切代码 https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp没有运气.

I have try to use OpenID to connect with Azure AD, and I use the exact code from the tutorial https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp with no luck.

我的创业:

public class Startup
{
     string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
     string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
     static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
     string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, 
                        System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);

/// <summary>
/// Configure OWIN to use OpenIdConnect
/// </summary>
/// <param name="app"></param>
public void Configuration(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUri,
            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            ResponseType = OpenIdConnectResponseType.IdToken,
            TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateIssuer = true
            },
            
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed
            }
        }
    );
}

/// <summary>
/// Handle failed authentication requests by redirecting the user to the home page with an error in the query string
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
{
    context.HandleResponse();
    context.Response.Redirect("/?errormessage=" + context.Exception.Message);
    return Task.FromResult(0);
}

我的登录页面代码:

protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (!IsPostBack)
            {
                if (!Request.IsAuthenticated)
                {
                    HttpContext.Current.GetOwinContext().Authentication.Challenge(
                        new AuthenticationProperties { RedirectUri = "/AMS/Dashboard" },
                        OpenIdConnectAuthenticationDefaults.AuthenticationType);
                }
                else
                {
                    var userClaims = User.Identity as System.Security.Claims.ClaimsIdentity;
                    lblErrorMessage.InnerHtml = userClaims?.FindFirst("preferred_username")?.Value;
                    //check user info, and create session then redirect to Dashboard
                }
            }
        }
        catch (Exception ex)
        {
             //handle error
        }
  }

我的网站结构有点复杂如下:

My Website structure is a little bit complicated as follow:

我在服务器 x 上有一个网站:mydomain.com我在服务器 y 中有一个子域:subdomain.mydomain.com我在服务器 z 上有我的网站 AMS，并重定向到 subdomain.mydomain.com/AMS

I have a website on the server x: mydomain.com and I have a subdomain in server y: subdomain.mydomain.com and I have my website AMS on server z with a redirect to subdomain.mydomain.com/AMS

现在为了解决跨站 cookie 我在 web 配置中使用以下内容

now to solve cross-site cookie I use the following in web config

<outboundRules>
    <rule name="Ensure httpOnly Cookies" preCondition="Missing httpOnly cookie">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="^(.*; path=/)" negate="false" />
        <action type="Rewrite" value="{R:1}AMS; SameSite=none; secure; HttpOnly" />
    </rule>
    <preConditions>
        <preCondition name="Missing httpOnly cookie">
            <!-- Don't remove the first line! -->
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=none; secure; HttpOnly" negate="true" />
        </preCondition>
    </preConditions>
</outboundRules>

我的问题是 Request.IsAuthenticated 总是假的，所以页面一直重定向到微软登录页面

有什么想法吗?提前致谢

Any ideas? Thanks in advance

推荐答案

试试这个:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    CookieSameSite = Microsoft.Owin.SameSiteMode.None,
    CookieSecure = CookieSecureOption.Always
});

还要确保设置了安全属性

Also ensure the secure attribute is set as well

来自 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

SameSite NONE - Cookie 将在所有上下文中发送，即响应第一方和跨域请求.如果设置了 SameSite=None，则还必须设置 cookie Secure 属性(否则 cookie 将被阻止).

SameSite NONE - Cookies will be sent in all contexts, i.e in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).

这篇关于ASP.NET 和 OWIN Cookies Azure Open ID 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！