身份服务器一直显示“显示登录:用户未通过身份验证"在/连接/授权/回调 [英] Identity server is keep showing "Showing login: User is not authenticated" in /connect/authorize/callback

问题描述

使用 IdentityServer4，我正在现有系统上实现代码流授权，该系统仅支持 IdentityServer 中的 ResourceOwnerPassword 授权类型并且运行良好.

Using IdentityServer4, I'm implementing Code flow authorization on an existing system which supports only ResourceOwnerPassword grant type in IdentityServer and works well.

我进入了一个阶段，用户被提升为进行身份验证，然后重定向到服务器连接/授权/回调

I got into a stage where the user is promoted to authenticate, then redirected to server connect/authorize/callback

之后它不会进行身份验证并返回登录页面.从日志中，我得到以下信息:

After that it is not authenticating and coming back to the login page. From the log, I got the following:

调用 IdentityServer 端点:IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for/connect/authorize/callback

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback

ValidatedAuthorizeRequest

ValidatedAuthorizeRequest

{
"ClientId": "demo",
"ClientName": "MVC Client Demo",
"RedirectUri": "http://localhost:5002/signin-oidc",
"AllowedRedirectUris": ["http://openidclientdemo.com:8001/signin-oidc",
"http://localhost:5002/signin-oidc"],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile default-api",
"State": "CfDJ8DU4Xalc7d9HttaFlZ-UaDhGsjeeEccTfNiNZFz3yYZI9MfXjrXo2TAzT9f6-F2VEdC7bWtcD7HRJgkqrh4t0oTAe_47IBfcm5Fsde9bVRorq-CHcL6_c15Vz1G5LJyEzqX6tyjhcZ2g3J2JjxD1PME1W7sq9YSddhQUJmxt4bVi70wdTtXXp0tH0SKyb0vLCs3eIjOln792nobaFOCM7r3VJ8BfXfpDm2pOOmBlR7zCCBxFCivwj7Zmy5Tu8Z09MvzOaLEkPBSL5i9GyxmGiB0P6osBPYEDyoRfgy2qDigH3QqLmLYjfE6NrgcgIGO9kgXuUT52XgALV_ZKjNbih-Y",
"Nonce": "636702233595840569.NGQ3NGVlODMtYTVhNy00MjM4LWFhNGQtNTFiZTE3ZjllZmUzNjU5MGNmNjktNjg3Yy00YmZlLWEwYWYtYmMzM2QxZmZlNjBk",
"Raw": {
    "client_id": "demo",
    "redirect_uri": "http://localhost:5002/signin-oidc",
    "response_type": "code id_token",
    "scope": "openid profile default-api",
    "response_mode": "form_post",
    "nonce": "636702233595840569.NGQ3NGVlODMtYTVhNy00MjM4LWFhNGQtNTFiZTE3ZjllZmUzNjU5MGNmNjktNjg3Yy00YmZlLWEwYWYtYmMzM2QxZmZlNjBk",
    "state": "CfDJ8DU4Xalc7d9HttaFlZ-UaDhGsjeeEccTfNiNZFz3yYZI9MfXjrXo2TAzT9f6-F2VEdC7bWtcD7HRJgkqrh4t0oTAe_47IBfcm5Fsde9bVRorq-CHcL6_c15Vz1G5LJyEzqX6tyjhcZ2g3J2JjxD1PME1W7sq9YSddhQUJmxt4bVi70wdTtXXp0tH0SKyb0vLCs3eIjOln792nobaFOCM7r3VJ8BfXfpDm2pOOmBlR7zCCBxFCivwj7Zmy5Tu8Z09MvzOaLEkPBSL5i9GyxmGiB0P6osBPYEDyoRfgy2qDigH3QqLmLYjfE6NrgcgIGO9kgXuUT52XgALV_ZKjNbih-Y",
    "x-client-SKU": "ID_NET",
    "x-client-ver": "2.1.4.0",
    "accessToken": "4155a526-2bb1-4d88-ba3a-21cb3a91f266",
    "userId": "MQ=="
}

}

显示登录信息:用户未通过身份验证

Showing login: User is not authenticated

<小时>

我不清楚是什么导致了身份验证失败，知道吗?

---

It is not clear for me what caused the authentication failure, any idea?

推荐答案

TL;DR:默认身份服务器使用 http + chrome，不起作用.Chrome 强制使用 SameSite=none 的 cookie 也具有 Secure 属性，因此您可能必须使用 HTTPS，或者使用 @blow 的回答.Chromium 博客

TL;DR: default identityserver using http + chrome, doesn't work. Chrome enforces that cookies with SameSite=none have also Secure attribute, so you may have to either use HTTPS, or modify the cookie policy using @blow's answer. Chromium blog

关于单点登录和 cookie 的一些上下文，

A bit of context on Single Sign On and cookies,

cookie 是服务器在 response 上发送的一条信息，浏览器在每个后续 request 上发回.

A cookie is a piece of information that a server sends on a response and the browser sends back on every subsequent request.

当您登录身份服务器时，它会发回多个 cookie，其中一个用于识别您的会话.此 cookie 使用属性 SameSite=none 发送，这允许您浏览的任何应用程序向您的身份服务器发出请求并将此 cookie 包含在内.这样，对 /connect/authorize 的调用包含此 cookie，而 identityserver 跳过登录部分.Voilà SSO.

When you login into identityserver, it sends back multiple cookies, one of them identifies your session. This cookie is being sent with the attribute SameSite=none this allows any application that you browse to make a request to your identityserver and include this cookie with it. This way, the call to /connect/authorize includes this cookie, and identityserver skips the login part. Voilà SSO.

您在使用 Google Chrome 吗?

Are you using Google Chrome?

谷歌浏览器最近引入了一项更改，其中所有以 SameSite=none 属性发布的 cookie 必须包含 Secure 属性.

Google Chrome recently introduced a change where all cookies issued with the attribute SameSite=none must include the Secure attribute.

这两个属性的意思是:

• SameSite:控制浏览器在将 cookie 附加到任何基于来源向您的网站提出的请求.

• SameSite: Controls how the browser will behave when attaching the cookie to any request made to your site, based on the origin.

• SameSite=strict:不对来自与来源不同的站点的请求发送 cookie.这有助于防止 CSRF 攻击.
• SameSite=lax:与 strict 类似，但是当用户通过单击链接或发送表单有意启动请求时，会发送 cookie.不会根据脚本发起的请求发送.
• SameSite=none:无论 cookie 来自哪个来源，都将被包含在内.

• SameSite=strict: does not send the cookie on requests made from sites different from the origin. This helps to prevent CSRF attacks.
• SameSite=lax: similar to strict but cookies get sent when the user knowingly starts the request, by clicking a link or sending a form. Not being sent on requests initiated by scripts.
• SameSite=none: the cookies will get included no matter which origin they come from.

安全:表示 cookie 必须仅通过 HTTPS 发送.

Secure: Indicates that the cookie has to be sent over HTTPS only.

IdentityServer 使用 SameSite=none 发布这些 cookie.这意味着当您在本地提供没有 HTTPS 的 IdentityServer 并使用 chrome 作为浏览器时，它不会让您登录，因为在您向服务器 POST 后，您的用户 &密码，响应将包含会话 cookie，但您的浏览器 (chrome) 将拒绝它，因为它们未标记为 secure 而是标记为 SameSite=none，并且不允许这种组合.

IdentityServer issues those cookies with SameSite=none. This means that when you're serving IdentityServer without HTTPS on local, and using chrome as browser, it won't log you in, because after you POST to the server your user & password, the response will include the session cookie but your browser (chrome) will refuse it because they're not marked as secure but, marked as SameSite=none, and this combination is not allowed.

这篇关于身份服务器一直显示“显示登录:用户未通过身份验证"在/连接/授权/回调的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！