AD FS 2.0身份验证和AJAX [英] AD FS 2.0 Authentication and AJAX
问题描述
我有一个网站,试图调用其他网站的MVC控制器动作。这些网站都设置为依赖方信任在AD FS 2.0。一切都进行身份验证,并在两个站点之间的浏览器窗口中打开页面时工作正常。然而,试图调用JavaScript中使用它总是失败了jQuery AJAX方法的控制器动作时。这里是我想要做一个code片段...
I have a web site that is trying to call an MVC controller action on another web site. These sites are both setup as relying party trusts in AD FS 2.0. Everything authenticates and works fine when opening pages in the browser window between the two sites. However, when trying to call a controller action from JavaScript using the jQuery AJAX method it always fails. Here is a code snippet of what I'm trying to do...
$.ajax({
url: "relyingPartySite/Controller/Action",
data: { foobar },
dataType: "json",
type: "POST",
async: false,
cache: false,
success: function (data) {
// do something here
},
error: function (data, status) {
alert(status);
}
});
问题是,AD FS使用JavaScript来发布一个隐藏的HTML表单的依赖方。 当小提琴手跟踪我可以看到它得到了AD FS的网站,并返回这个网站形式应该张贴,并重定向到验证控制器动作。问题是这样的形式回来作为Ajax请求的结果,显然会失败,解析器错误,因为Ajax请求期待JSON从控制器动作。看起来这将是一个常见的情况,那么,什么是正确的方式与AJAX AD FS进行沟通和处理这种重定向?
The issue is that AD FS uses JavaScript to post a hidden html form to the relying party. When tracing with Fiddler I can see it get to the AD FS site and return this html form which should post and redirect to the controller action authenticated. The problem is this form is coming back as the result of the ajax request and obviously going to fail with a parser error since the ajax request expects json from the controller action. It seems like this would be a common scenario, so what is the proper way to communicate with AD FS from AJAX and handle this redirection?
推荐答案
您有两种选择。 更多信息<一个href="http://adammills.word$p$pss.com/2013/12/02/making-ajax-play-with-passive-adfs-2-1-and-2-0-reactive-authentication/"相对=nofollow>这里。
You have two options. More info here.
首先是共享入境申请(一个基于该HTML)和你的API解决方案之间的会话cookie。您配置这两个应用程序使用相同的WIF的cookie。这只有当这两个应用程序在相同的根域。 见上面的帖子或本计算器问题。
The first is to share a session cookie between an entry application (one that is HTML based) and your API solutions. You configure both applications to use the same WIF cookie. This only works if both applications are on the same root domain. See the above post or this stackoverflow question.
另一种选择是禁用passiveRedirect对AJAX请求(如由Gutek显示在上面的回答)。这将返回401,你可以处理在Javascript中一个HTTP状态code。 当你发现了401,你加载一个虚拟页面(或认证对话框,它可能会增加一倍作为一个登录对话框,如果证书需要再次给出),在一个iFrame。当iFrame的完成你然后再次尝试呼叫。这一次的会话cookie将在电话会议上present,它应该会成功。
The other option is to disable the passiveRedirect for AJAX requests (as shown in above answer by Gutek). This will return a http status code of 401 which you can handle in Javascript. When you detect the 401, you load a dummy page (or a "Authenticating" dialog which could double as a login dialog if credentials need to be given again) in an iFrame. When the iFrame has completed you then attempt the call again. This time the session cookie will be present on the call and it should succeed.
//Requires Jquery 1.9+
var webAPIHtmlPage = "http://webapi.somedomain/preauth.html"
function authenticate() {
return $.Deferred(function (d) {
//Potentially could make this into a little popup layer
//that shows we are authenticating, and allows for re-authentication if needed
var iFrame = $("<iframe></iframe>");
iFrame.hide();
iFrame.appendTo("body");
iFrame.attr('src', webAPIHtmlPage);
iFrame.load(function () {
iFrame.remove();
d.resolve();
});
});
};
function makeCall() {
return $.getJSON(uri)
.then(function(data) {
return $.Deferred(function(d) { d.resolve(data); });
},
function(error) {
if (error.status == 401) {
//Authenticating,
//TODO:should add a check to prevnet infinite loop
return authenticate().then(function() {
//Making the call again
return makeCall();
});
} else {
return $.Deferred(function(d) {
d.reject(error);
});
}
});
}
这篇关于AD FS 2.0身份验证和AJAX的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
