[英]Azure OpenID Connect via OWIN Middleware resulting in Infinite Redirect Loop
I have setup OpenID Connect authentication in my ASP.NET MVC application using OWIN Middleware.我已经使用 OWIN 中间件在我的 ASP.NET MVC 应用程序中设置了 OpenID Connect 身份验证。
As this Fiddler output shows, once successfully logging in via Azure OpenID Connect, the browser continually loops back and forth between my site.azurewebsites.net and login.windows.net.正如此 Fiddler 输出所示,一旦通过 Azure OpenID Connect 成功登录,浏览器就会不断在我的 site.azurewebsites.net 和 login.windows.net 之间来回循环。
I have ensured following keys are correctly matching Azure AD information我已确保以下键正确匹配 Azure AD 信息
<add key="ida:AADInstance" value="https://login.windows.net/{0}" />
<add key="ida:Tenant" value="******.onmicrosoft.com" />
<add key="ida:ClientId" value="*******" />
<add key="ida:PostLogoutRedirectUri" value="*********" />
And my Start.cs code is as follows而我的 Start.cs 代码如下
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
IAuthorizationService authorizationService = new AuthorizationService();
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
ExpireTimeSpan =TimeSpan.FromMinutes(15)
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri}
});
}
}
Not sure what is causing this to constantly redirect.不知道是什么导致这个不断重定向。 I have placed an
[Authorize]
attribute on the MVC Controller where Post Authentication Redirect Url goes.我已经在 MVC 控制器上放置了一个
[Authorize]
属性,其中 Post Authentication Redirect Url 去。
I ran into this issue last night in an ASP.NET Framework 4.5.1 MVC app.我昨晚在 ASP.NET Framework 4.5.1 MVC 应用程序中遇到了这个问题。 There were two issues for me.
对我来说有两个问题。
Trying to access the site using HTTP instead of HTTPS尝试使用 HTTP 而不是 HTTPS 访问站点
Cookie overwriting as described here https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues此处描述的 Cookie 覆盖https://github.com/aspnet/AspNetKatana/wiki/System.Web-response-cookie-integration-issues
I was a "I tried everything but nothing works" dev until I found that fix.我是一个“我尝试了一切,但没有任何效果”的开发人员,直到我找到了解决办法。 Hopefully that works for you too.
希望这也适用于您。
what is happening here is related to what JuneT noticed.这里发生的事情与 JuneT 注意到的有关。 This is related to the default on CookieAuthenticationOptions.CookieSecure == CookieSecureOption.SameAsRequest.
这与 CookieAuthenticationOptions.CookieSecure == CookieSecureOption.SameAsRequest 的默认值有关。 Since you started at http, the final redirect is to http.
因为你是从 http 开始的,所以最后的重定向是到 http。 The request that created the 'authcookie' was https from AAD.
创建“authcookie”的请求是来自 AAD 的 https。
I was able to get this working by setting CookieSecure == CookieSecureOption.Always.我能够通过设置 CookieSecure == CookieSecureOption.Always 来实现这一点。 This means that cookie could leak along with your auth.
这意味着 cookie 可能会与您的身份验证一起泄漏。
Is there must be a way to ensure that pages that auth only will accept connections on https.是否必须有一种方法来确保 auth 页面只接受 https 上的连接。
To resolve this issue: you can upgrade your application to use ASP.NET Core.要解决此问题:您可以升级应用程序以使用 ASP.NET Core。 If you must continually stay on ASP.NET, perform the following: Update your application's Microsoft.Owin.Host.SystemWeb package be at least version.
如果您必须继续使用 ASP.NET,请执行以下操作: 将您的应用程序的 Microsoft.Owin.Host.SystemWeb 包更新为至少版本。 Modify your code to use one of the new cookie manager classes, for example something like the following:
修改您的代码以使用新的 cookie 管理器类之一,例如如下所示:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager()
});
Fixed this issue by ensuring that request is using https BEFORE redirecting to Azure通过确保请求在重定向到 Azure 之前使用 https 来解决此问题
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = AppConfig.ClientId,
Authority = AppConfig.Authority,
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
// ensure https before redirecting to Azure
if (!context.Request.IsSecure)
{
context.Response.Redirect(string.Format("https://{0}{1}", context.Request.Uri.Authority, context.Request.Uri.AbsolutePath));
context.HandleResponse();
return Task.FromResult(0);
}
}
return Task.FromResult(0);
},
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect(AppConfig.RedirectUri + "SignInError?message=" + context.Exception.Message);
return Task.FromResult(0);
},
},
});
I faced the same issue and fixed it by using nuget package kentor.owincookiesaver
.我遇到了同样的问题并使用 nuget 包
kentor.owincookiesaver
修复了它。 Use code as below:-使用代码如下:-
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseKentorOwinCookieSaver();//Workaround for infinite loop between webapp & login page
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignUpPolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(ProfilePolicyId));
app.UseOpenIdConnectAuthentication(CreateOptionsFromPolicy(SignInPolicyId));
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.