如何在 Azure 上使我的 OpenId Connect 重定向 URI HTTPS?
[英]How do I make my OpenId Connect redirect URI HTTPS on Azure?
问题描述
I have created 2 web apps that are being hosted in Azure.
我创建了 2 个托管在 Azure 中的 Web 应用程序。 One app (A) is an IdentityServer4 provider and the other (B) is an app that uses A as an external login provider via OpenId Connect.一个应用程序 (A) 是 IdentityServer4 提供程序,另一个 (B) 是通过 OpenId Connect 使用 A 作为外部登录提供程序的应用程序。 In the code for A, I configured IdentityServer4 to require a specific redirect URI for B's sign-in calls:在 A 的代码中,我将 IdentityServer4 配置为要求 B 的登录调用使用特定的重定向 URI:
namespace A.IdentityServer4Config
{
public static class Clients
{
public static IEnumerable<Client> GetClients(IConfiguration configuration)
{
return new List<Client>
{
new Client
{
ClientId = "B",
ClientSecrets = {new Secret("hashed secret for B")},
AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
AllowedScopes = {"openid", "profile", ...},
RedirectUris = {"https://B.azurewebsites.net/Account/oidc-callback"},
RequireConsent = false,
AccessTokenLifetime = 10 * 60,
},
};
}
}
}
Within Startup.ConfigureServices:在 Startup.ConfigureServices 中:
var identityServerBuilder = services
.AddIdentityServer(options => {...})
...
.AddInMemoryClients(Clients.GetClients(configuration))
...;
Notice that the redirect URI I specified is an HTTPS URI.请注意,我指定的重定向 URI 是 HTTPS URI。
In the code for B, I used one of the AddOpenIdConnect() overloads in Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions to configure how the sign-in call should proceed:在 B 的代码中,我使用了 Microsoft.Extensions.DependencyInjection.OpenIdConnectExtensions 中的 AddOpenIdConnect() 重载之一来配置登录调用应如何进行:
services.AddAuthentication(options => {...})
...
.AddOpenIdConnect(
"oidc",
options =>
{
...
options.Authority = "https://A.azurewebsites.net";
options.RequireHttpsMetadata = true;
options.ClientId = "B";
options.ClientSecret = "secret for B";
options.ResponseType = "code";
options.CallbackPath = "/Account/oidc-callback"; // !!!
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
...
}
);
The line commented with "!!!"该行注释为“!!!” is where the redirect URI for the sign-in request is configured.是配置登录请求的重定向 URI 的位置。 Notice that it is required to be a path relative to the application's domain.请注意,它必须是相对于应用程序域的路径。 You cannot specify the URI in full (I tried; if you do this, then the application crashes when it starts up).您无法指定完整的 URI(我尝试过;如果您这样做,则应用程序在启动时会崩溃)。 Since you cannot specify the URI in full, this property cannot be used to require that the redirect URI be HTTPS.由于您无法完整指定 URI,因此不能使用此属性来要求重定向 URI 为 HTTPS。 (RemoteAuthenticationOptions.CallbackPath is a Microsoft.AspNetCore.Http.PathString. It is described in official documentation as follows: "The request path within the application's base path where the user-agent will be returned. The middleware will process this request when it arrives.") (RemoteAuthenticationOptions.CallbackPath 是一个 Microsoft.AspNetCore.Http.PathString。官方文档中对它的描述如下:“应用程序基路径中的请求路径,用户代理将在该路径中返回。中间件将在此请求到达时对其进行处理.”)
When I try to log in at B, I am taken to an error page on A. When I look at the logs generated by IdentityServer4 on A, it is clear that the reason for the error is that the redirect URI requested by B does not match the expected one.当我尝试在B上登录时,我被带到了A上的错误页面。当我查看A上IdentityServer4生成的日志时,很明显错误的原因是B请求的重定向URI没有符合预期。 The only difference between the two URIs is that the one A is expecting to see is an HTTPS URI and the one B is specifying is an HTTP (no "S") URI:这两个 URI 之间的唯一区别是 A 期望看到的是 HTTPS URI,而 B 指定的是 HTTP(无“S”)URI:
2018-08-16 15:20:41.307 +00:00 [Error] IdentityServer4.Endpoints.AuthorizeEndpoint: Request validation failed
2018-08-16 15:20:41.307 +00:00 [Information] IdentityServer4.Endpoints.AuthorizeEndpoint: {
"ClientId": "B",
"AllowedRedirectUris": [
"https://B.azurewebsites.net/Account/oidc-callback"
],
"SubjectId": "anonymous",
"RequestedScopes": "",
"Raw": {
"client_id": "B",
"redirect_uri": "http://B.azurewebsites.net/Account/oidc-callback",
"response_type": "code",
"scope": "openid profile ...",
"response_mode": "form_post",
"nonce": "[omitted]",
"state": "[omitted]",
"x-client-SKU": "ID_NETSTANDARD1_4",
"x-client-ver": "5.2.0.0"
}
}
2018-08-16 15:20:41.307 +00:00 [Information] IdentityServer4.Events.DefaultEventService: {
"Name": "Token Issued Failure",
"Category": "Token",
"EventType": "Failure",
"Id": 2001,
"ClientId": "B",
"Endpoint": "Authorize",
"Scopes": "",
"Error": "unauthorized_client",
"ErrorDescription": "Invalid redirect_uri",
"ActivityId": "[omitted]",
"TimeStamp": "2018-08-16T15:20:41Z",
"ProcessId": 10408,
"LocalIpAddress": "[omitted]",
"RemoteIpAddress": "[omitted]"
}
I do not know why B's request to A defaults to HTTP for the redirect URI.我不知道为什么 B 对 A 的请求默认为 HTTP 重定向 URI。 I do not know how to make it HTTPS instead.我不知道如何改为使用 HTTPS。 I could relax the requirement that the redirect URI be HTTPS, but this seems like the wrong thing to do.我可以放宽重定向 URI 为 HTTPS 的要求,但这似乎是错误的做法。 I would like to know how to get B to specify an HTTPS URI in its request to A. From the description of RemoteAuthenticationOptions.CallbackPath in the documentation, I would suppose that this should be achieved by making sure "the application's base path" is HTTPS;我想知道如何让 B 在其对 A 的请求中指定一个 HTTPS URI。根据文档中 RemoteAuthenticationOptions.CallbackPath 的描述,我认为这应该通过确保“应用程序的基本路径”是 HTTPS 来实现; however, I have no idea how to do this and have had no success searching the internet.但是,我不知道该怎么做,并且在互联网上搜索也没有成功。
When I run these applications locally, everything works correctly, because when B is running locally, the requests it makes specify an HTTPS redirect URI (as I wish them to).当我在本地运行这些应用程序时,一切正常,因为当 B 在本地运行时,它发出的请求指定了一个 HTTPS 重定向 URI(正如我希望的那样)。 I do not know why it behaves differently when running locally and when running on Azure.我不知道为什么它在本地运行和在 Azure 上运行时表现不同。
What I have tried我试过的
As mentioned above, I tried specifying the redirect URI fully (instead of in relative terms).如上所述,我尝试完全指定重定向 URI(而不是相对而言)。 This did not work - it causes the application to crash when it starts up.这不起作用 - 它会导致应用程序在启动时崩溃。
I also tried setting the CallbackPath type to a PathString constructed using PathString.FromUriComponent() (using a variety of absolute URIs).我还尝试将 CallbackPath 类型设置为使用 PathString.FromUriComponent()(使用各种绝对 URI)构造的 PathString。 This did not work.这没有用。 The protocol and domain parts of the URI were discarded and replaced with what they would have been (ie "http" and the appropriate domain) if I had passed a relative URI as a string.如果我将相对 URI 作为字符串传递,URI 的协议和域部分将被丢弃并替换为它们本来的内容(即“http”和适当的域)。
I looked through the Startup classes in the various example MVC clients found at https://github.com/IdentityServer/IdentityServer4.Samples .我查看了https://github.com/IdentityServer/IdentityServer4.Samples 上的各种示例 MVC 客户端中的 Startup 类。 I did not see anything that was obviously a solution to this problem.我没有看到任何明显可以解决这个问题的东西。
1 个解决方案
解决方案1
2 已采纳 2018-08-16 16:38:44
It turns out that on Azure, whether the redirect URI generated is HTTP or HTTPS is determined by the "HTTPS Only" setting in the SSL configuration "blade".事实证明,在 Azure 上,生成的重定向 URI 是 HTTP 还是 HTTPS 是由 SSL 配置“刀片”中的“仅 HTTPS”设置决定的。
In the Azure web portal, select the app service (B).在 Azure Web 门户中,选择应用服务 (B)。 Under "Settings", select "SSL settings".在“设置”下,选择“SSL 设置”。 The SSL configuration "blade" opens. SSL 配置“刀片”打开。 The first option that appears is "HTTPS Only".出现的第一个选项是“仅 HTTPS”。 It defaults to "off".它默认为“关闭”。 Change it to "on".将其更改为“开”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.