通过 Azure AD 身份验证对用户进行身份验证时获取 NULL 身份 [英] Getting NULL Identity while authenticating user via Azure AD authentication
问题描述
我正在尝试通过 Azure AD 使用 WS-federation 对用户进行身份验证.
I am trying to authenticate user by Azure AD using WS-federation.
我已经实现了多个身份验证方案并使用 Challenge() 将用户重定向到相应的方案.
I've implemented multiple authentication schemes and redirect the user to the respective schemes using Challenge().
return Challenge(new AuthenticationProperties { RedirectUri = "http://localhost:57826/Account/AzureADLogin"}, authenticationScheme);
这可以将我重定向到 Microsoft 登录页面,并在成功登录后将我重定向到操作方法 AzureADLogin().
This can redirect me to the Microsoft login page and after successful login, it redirects me to the action method AzureADLogin().
但不知何故,在 AzureADLogin() 中,我无法在此方法中登录用户身份 (User.Identity.Name).我在回复中收到了空的声明.
But somehow in AzureADLogin(), I could not able to get logged in user identity(User.Identity.Name) in this method. I'm receiving empty claims in the response.
同样在 Azure AD RedirectURIs 中设置为http://localhost:57826/Account/AzureADLogin".
Also in the Azure AD RedirectURIs is set to "http://localhost:57826/Account/AzureADLogin".
有谁知道我做错了什么或遗漏了什么?
Does anyone has idea what I'm doing wrong or missing something?
推荐答案
我刚刚为此奋斗了 3 天多,当我在 3 月份第一次注意到这个问题时,我花了几天时间排查和重写我的应用程序.就我而言,我有一个 .Net 4.5.2 应用程序,在使用 WSFederation 和 OWIN 登录 Azure AD 时已经工作了多年.但是,服务器 Win 2016 的更新发生在 2020 年 3 月,导致登录中断.每次我获得登录用户名的地方在 System.Web.HttpContext.User.Identity.Name 中都是空白的,并且每次更新前都已填充.我将其追溯到 Server 2016 上的 KB4537764 更新.(仅供参考,2012 年的更新是 KB4532946 和 KB4532940)如果我删除了更新,则登录有效.再次应用更新破坏了它.我用谷歌搜索 KB4537764,直到我脸色发青,总是空空如也.直到我研究了 KB4537764 实际做了什么——它提到了 SameSite 的修复——我才发现我需要做些什么来修复它并在服务器上安装更新.
I just battled this for over 3 days, and I spent several days troubleshooting and rewriting my app when I first noticed this problem in March. In my case, I have a .Net 4.5.2 app that had worked for years when using WSFederation and OWIN to login to Azure AD. However, an update to the server Win 2016 occurred in March 2020 that broke the signin. Every single time the place I got the logged-in User Name was blank in System.Web.HttpContext.User.Identity.Name, and it had been populated each time before the update. I traced it back to in update of KB4537764 on Server 2016. (FYI for anyone else the updates for 2012 are KB4532946 and KB4532940) If I removed the update, the signin worked. Applying the update again broke it. I googled for KB4537764 until I was blue in the face and always came up empty. It wasn't until I researched what KB4537764 actually did - it mentions a fix for SameSite - that I found what I needed to do to fix it and have the update installed on the server.
- 在 Nuget 包管理器中将所有 OWIN 版本更新为 4.1.0
您需要配置应用程序以使用 SystemWebCookieManager.在 startup.cs 中添加它.我把它放在 Configuration(IAppBuilder app) 中的第一行
- Update all OWIN versions to 4.1.0 in Nuget Package Manager
You need to configure the app to use SystemWebCookieManager. Add this in startup.cs. I made it the first line in Configuration(IAppBuilder app)
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ...
CookieManager = new SystemWebCookieManager()
});
在我的 PageAuthorize 类中,如果 System.Web.HttpContext.Current.User.Identity.Name 为空,我会进行 SSO 调用:
In my PageAuthorize class I make the SSO call if System.Web.HttpContext.Current.User.Identity.Name is blank:
公共类 PageAuthorize : AuthorizeAttribute{
public class PageAuthorize : AuthorizeAttribute {
private readonly string[] allowedroles;
public PageAuthorize(params string[] roles)
{
this.allowedroles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool authorize = false;
if (System.Web.HttpContext.Current.User.Identity.Name=="")
{
System.Web.HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "https://mysite/Home/LoggedIn" }, WsFederationAuthenticationDefaults.AuthenticationType);
authorize = true;
}
else
{
foreach (var role in allowedroles)
{
int intLoginId;
string staffName;
sysRole sysRole;
var _staffService = DependencyResolver.Current.GetService<IStaffService>();
LoginMySelf me = new LoginMySelf(_staffService);
var Login = me.DetermineLogin(out intLoginId, out staffName, out sysRole);
//set session vars
var _sessionManagerService = DependencyResolver.Current.GetService<ISessionManagerService>();
string strSess = _sessionManagerService.SetLoginSessionVars(Login, intLoginId, "SSO", sysRole.RoleName,
staffName, Convert.ToInt32(sysRole.AccessLevelValue));
System.Web.HttpContext.Current.Session["RoleName"] = sysRole.RoleName;
System.Web.HttpContext.Current.Session["StaffName"] = staffName;
if (role == sysRole.RoleName)
{
authorize = true;
}
}
}
return authorize;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
HttpContext.Current.Response.Redirect("~/Home/NotAuthorized");
}
}
现在 System.Web.HttpContext.Current.User.Identity.Name 总是按预期包含我的用户名.
Now the System.Web.HttpContext.Current.User.Identity.Name always contains my username as expected.
以下是我用来隔离和解决问题的参考资料:-https://github.com/aspnet/AspNetKatana/issues/324-https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
Here are references I used to isolate and fix the problem: -https://github.com/aspnet/AspNetKatana/issues/324 -https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
希望这对您和其他人有所帮助.这绝对是令人抓狂的诊断,但修复很简单!
Hope this helps you and others with this. This was absolutely maddening to diagnose but the fix was simple!
这篇关于通过 Azure AD 身份验证对用户进行身份验证时获取 NULL 身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
