如何在 Azure Web 应用程序中将 redirect_uri 协议设置为 HTTPS [英] How to set redirect_uri protocol to HTTPS in Azure Web Apps

问题描述

我面临以下问题.我有一个要部署到 Azure 的 ASP Net Core 2 Web 应用程序.应用身份验证与 Azure Active Directory 集成，因此当我尝试登录时会发生以下请求:

I am facing the following problem. I have an ASP Net Core 2 web app that I want to deploy to Azure. The app authentication is integrated with the Azure Active Directory, so when I try to login the following requests happen:

GET https://login.microsoftonline.com/ecf3f643-27e5-4aa7-9d56-fd350e1e9c37/oauth2/authorize?client_id=20a2bcb5-0433-4bb4-bba3-d7dc4c533e85&redirect_uri=http://myapplication.mydomain.com/account/signin [...]  200 OK
POST http://myapplication.mydomain.com/account/signin 301 Redirect --> https://myapplication.mydomain.com/account/signin
GET https://myapplication.mydomain.com/account/signin 500 Internal Server Error

第一个 GET 是正常的 Azure Active Directory 登录请求.注意 redirect_uri 参数有协议 http.

The first GET is the normal Azure Active Directory login request. Notice the redirect_uri parameter has protocol http.

第二个请求是重定向到redirect_uri，一个带有一些参数的POST.由于我已将 Azure 配置为仅允许 HTTPS 流量，因此 IIS 使用 HTTPS 重定向到相同的 URL.这是第三个要求.请注意，第三个请求是 GET 请求，因为 HTTP 重定向始终是 GET 请求 POST 请求的所有参数都丢失了，并且身份验证失败，在后端出现 HTTP 500 错误.

The second request is the redirection to the redirect_uri, a POST with some parameters. Since I have configured Azure to allow only HTTPS traffic, then IIS redirects to the same URL with HTTPS. That's the third request. Notice this third request is a GET request, since HTTP redirection is always a GET request all the paremeters of the POST request are lost, and the authentication fails giving a HTTP 500 error in the backend.

我已尝试手动将 redirect_uri 参数中的协议手动更改为 HTTPS，并且 它按预期工作.所以，我唯一需要做的就是让 ASP Net Core 知道协议是 HTTPS.

I have tried to manually change the protocol in the redirect_uri parameter manually to HTTPS, and it works as expected. So, the only thing I need is to make ASP Net Core aware that the protocol is HTTPS.

如何做到这一点?我在互联网上搜索了大量页面，但没有明确的答案.

How can that be done? I've searched tons of pages in the Internet without a clear answer.

注意:redirect_uri 由 Kestrel 设置.由于 Azure 应用服务将 IIS 放在我的 Kestrel 前面并在那里终止 SSL，Kestrel 和我的应用不知道协议是 HTTPS，因此在重定向 uri 中使用 HTTP.

Note: the redirect_uri is set by Kestrel. Since Azure App Service puts an IIS in front of my Kestrel and does the SSL termination there, Kestrel and my app do not know the protocol is HTTPS, and therefore use HTTP in the redirect uri.

更新 1

按照 @Bruce 的建议，我已经尝试了示例 这里，克隆存储库并配置应用程序和 AD如那里所述，我能够重现该错误.

Following the advice of @Bruce I've tried the example here, cloning the repository and configuring the application and the AD as stated there, and I am able to reproduce the error.

重定向 URI 继续使用 http 协议.如果我只在 AD 应用程序配置中添加 https 端点作为回复 URL，我会收到错误 The reply address 'http://testloginad.azurewebsites.net/signin-oidc' does not匹配为应用程序配置的回复地址.如果我将 http 协议端点添加为回复 URL，则会收到如下所示的 HTTP 500 错误:

The redirect URI continues to be with http protocol. If I only add in the AD app configuration the https endpoint as reply URL, I get the error The reply address 'http://testloginad.azurewebsites.net/signin-oidc' does not match the reply addresses configured for the application. If I add the http protocol endpoint as reply URL, then I get an HTTP 500 error like the following:

System.Exception: Correlation failed.
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext()

我还在想问题与 Kestrel 不知道连接是通过 HTTPS 完成的有关，但我不知道如何向它传达该信息.

I am still thinking the problem is related to Kestrel not knowing the connection is being done through HTTPS, but I do not know how to convey that information to it.

更新 2

我使用的 Azure Web 应用的配置:

The configuration of the Azure web app I used:

• Wep 应用类型:Linux
• 应用设置:
  • 堆栈:.NET Core 2.0
  • 启动文件:dotnet ./WebApp-OpenIDConnect-DotNet.dll
  • WEBSITE_HTTPLOGGING_RETENTION_DAYS:5
  • ASPNETCORE_ENVIRONMENT:开发
  • 始终开启:开启
  • ARR 关联:开启
  • 仅 HTTPS:开启
  • Docker 容器日志记录:文件系统
  • 配额 (MB):35
  • 保留期(天):5

  在 web.config 文件中，我将以下行修改为如下所示:

  In the web.config file I modified the following line to read like this:

  <aspNetCore processPath="dotnet" arguments="./WebApp-OpenIDConnect-DotNet.dll" stdoutLogEnabled="false" stdoutLogFile="./stdout.log" />
  

  基本上，我提出了斜杠而不是反斜杠，以避免 Linux 路径出现问题.

  Basically I put forward slashes instead of back slashes to avoid problems with Linux paths.

  其他一切都使用默认设置进行配置.

  Everything else is configured using default settings.

  更新 3根据 @Tratcher 的要求，我在此处添加了服务器响应的标头(为简洁起见，我仅包括标头我认为相关，如果您想查看其他任何内容，请随时要求我添加它):

  UPDATE 3 As requested by @Tratcher, I add here the headers of the server reponses (for the sake of brevity I include only the headers I consider relevant, if you want to see any other one, feel free to ask me to add it):

  • 第一个请求(GET https://login.microsoftonline.com/ecf...):
    • 服务器:Microsoft-IIS/10.0
    • 设置 Cookie:ESTSAUTHPERSISTENT=AQAFCCEADDB…sts;路径=/;安全的;HttpOnly
    • 严格的传输安全性:max-age=31536000；包含子域
    • 位置:https://testloginad.azurewebsites.net/signin-oidc
    • 服务器:Microsoft-IIS/10.0
    • 服务器:Kestrel

    任何请求中都没有 x-forwarded-proto 标头.

    No x-forwarded-proto header appears in any of the requests.

    请注意，问题的根源可能在于第二个请求的重定向，即将 HTTP POST 重定向到 HTTPS GET.该重定向不应该发生，因为首先应该通过 HTTPS 请求 POST，但由于第一个请求的 redirect_uri 中的 http 协议错误，因此不会发生这种情况.

    Note that one the root of the problem may be in the redirect of the second request, that is redirecting the HTTP POST to an HTTPS GET. That redirect should not happen since the POST should have been requested through HTTPS in the first place, but that did not happen because of the wrong http protocol in the redirect_uri of the first request.

    更新 4

    我已确认仅当所选服务计划是 Linux 服务计划时才会出现此问题.如果服务计划是 Windows 服务计划(使用与 UPDATE 1 示例完全相同的代码和配置)，则根本不会发生此问题.这可能是解决问题的方法，但不是解决方案.Linux 应用服务似乎有缺陷.

    I have confirmed this issue only happens if the chosen service plan is a Linux one. The issue does not happen at all if the service plan is a Windows one (using exactly the same code and configuration from the example of UPDATE 1). This may be a workaround, but not a solution, to the problem. The Linux app service seem to be flawed.

    推荐答案

    我自己也遇到了问题.我深入研究了微软的 Microsoft.AspNetCore.Authentication 并了解了他们是如何构建重定向 url 的:

    I had the problem myself. I took a deep dive into Microsoft's Microsoft.AspNetCore.Authentication and found out how they constructed the redirect url:

    protected string BuildRedirectUri(string targetPath)
            => Request.Scheme + "://" + Request.Host + OriginalPathBase + targetPath;
    

    因为 Web App 已经强制使用 HTTPS，这可以通过 Startup.cs 中的以下代码解决

    Because the Web App already forces HTTPS this can be solved with the following code in the Startup.cs

    app.UseForwardedHeaders(new ForwardedHeadersOptions
    {
          ForwardedHeaders = ForwardedHeaders.XForwardedProto
    });
    

    您只需添加此引用:

    using Microsoft.AspNetCore.HttpOverrides;
    

    这篇关于如何在 Azure Web 应用程序中将 redirect_uri 协议设置为 HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！