WIF 安全令牌缓存 [英] WIF Security Token Caching

问题描述

我有一个网站是我们基于 WIF 的自定义 STS 的依赖方.我们最近实现了安全令牌缓存，如下所述:Azure/web-farm ready SecurityTokenCache.我们的实现与该链接中描述的实现之间的主要区别在于，我们使用 Azure AppFabric 缓存作为持久缓存的后备存储，而不是表存储.这有助于缓解我们在某些浏览器上的令牌截断问题，但也引入了一个新问题(我们看到截断问题主要出现在除 fedauth cookie 之外还具有谷歌分析 + 防伪 cookie 的页面上).我们现在每天会收到数千次以下异常:

I have a site that is a relying party to our WIF-based custom STS. We recently implemented a Security Token Cache as described here: Azure/web-farm ready SecurityTokenCache. The major difference between our implementation and the one described in that link is that we use Azure AppFabric Caching as the backing store for the durable cache, rather than table storage. This helped to relieve us of a token truncation issue on certain browsers but has introduced a new problem (We see the truncation problem primarily on pages that have google analytics + antiforgery cookies in addition to the fedauth cookie). We're now receiving the following exception several thousand times per day:

System.IdentityModel.Tokens.SecurityTokenException
ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.

System.IdentityModel.Tokens.SecurityTokenException: ID4243: Could not create a       SecurityToken. A token was not found in the token cache and no cookie was found in the context.
   at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
   at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver)
   at Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie)
   at Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken)
   at Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

此异常似乎发生在重定向循环中，因此我们将在 1-2 分钟内看到数百个异常.

This exception seems to be happening in a redirect loop, so we'll see hundreds of them within a 1-2 minute time span.

在研究异常时，我一直无法找到任何有用的信息.到目前为止，唯一有希望的问题是有人提到这可能与缓存对象在会话之前到期有关.

I've been unable to locate any useful information while researching the exception. The only nugget that holds any hope so far is someone mentioning that it may be related to the cached object expiring prior to the session.

我们一直无法在内部重现该问题，只能知道它存在，因为我们的 Elmah 表中填满了数千个条目.任何帮助或见解将不胜感激.

We've been unable to reproduce the problem internally and only know it exists because of the thousands of entries filling up our Elmah tables. Any help or insight would be very much appreciated.

我们推出了我们认为可能有助于解决问题的内容(下面的代码)，但没有任何效果:

We pushed out what we thought may help resolve the problem (code below) but it had no effect:

HttpContext.Current.Response.Cookies.Remove("FedAuth");
WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
string signoutUrl = (WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null));
Response.Redirect(signoutUrl);

推荐答案

我有一个 MVC 单页应用程序作为依赖方，使用 WSO2 4.5 作为 IDP 并收到相同的错误 - System.IdentityModel.Tokens.SecurityTokenExceptionID4243:无法创建 SecurityToken.令牌缓存中未找到令牌，上下文中未找到 cookie......."进行了搜索，发现了 Thinktecture 名人 Brock Allen 的以下陈述.

I have an MVC single page application as a relying party using WSO2 4.5 as the IDP and was getting the same error - "System.IdentityModel.Tokens.SecurityTokenException ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context. ..." Did a search and found the statements below by Brock Allen of Thinktecture fame.

当浏览器发送包含用户声明的 cookie 但无法执行有关处理的某些内容(密钥已更改，因此无法验证令牌，或者如果使用服务器端缓存)时，将引发此异常并且缓存为空).最终用户对此无能为力，他们将继续收到错误消息，因为浏览器会不断发送 cookie.

This exception is thrown when the browser is sending a cookie that contains the user’s claims but something about the processing can’t be performed (either the key has changed so the token can’t be validated or if using a server side cache and the cache is empty). An end user isn’t going to be able to do much about this and they’re going to continue to get the error since the browser will keep sending the cookie.

全文:http://brockallen.com/2012/10/22/dealing-with-session-token-exceptions-with-wif-in-asp-net/

在同一篇文章中，他提供了以下解决我的问题的代码片段.在 Global.asax 中:

In the same article he provides the following snippet of code that solved the issue in my case. In Global.asax:

void Application_OnError()
{
    var ex = Context.Error;
    if (ex is SecurityTokenException)
    {
        Context.ClearError();
        if (FederatedAuthentication.SessionAuthenticationModule != null)
        {
            FederatedAuthentication.SessionAuthenticationModule.SignOut();
        }
        Response.Redirect("~/");
    }
}

这篇关于WIF 安全令牌缓存的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！