CORB OpenID Connect /连接/授权端点(Identity Server 4)
[英]CORB OpenID Connect /connect/authorize endpoint (Identity Server 4)
问题描述
I'm currently running into a strange issue. 
我目前遇到一个奇怪的问题。 We're hosting an ASP.CORE 2.1 application that uses an Identity Server 4 as it's federated gateway. 我们正在托管一个ASP.CORE 2.1应用程序,该应用程序使用Identity Server 4作为其联合网关。
At first navigation to the site using Chrome it's empty - leaving only a small hint in the console that CORB has blocked something. 第一次使用Chrome浏览到该网站时,它是空的-在控制台中只留下一个小提示,即CORB已阻止某些内容。
Looking into fiddler it seems that it's blocking the "hidden" form that posts back to the applications /signin-oidc middleware. 调查小提琴手,似乎它阻止了发回应用程序/ signin-oidc中间件的“隐藏”表单。
But the strange thing is upon a refresh it all works and CORB is no longer an issue. 但是,奇怪的是,一切都刷新了,CORB不再是问题。 Looking at the corresponding "good" response in fiddler the same headers are identical. 查看提琴手中相应的“良好”响应,相同的标头是相同的。
I can verify that the form_post from Identity Server isn't reaching the application in fiddler, debugging the OpenID events and each request and I get nada. 我可以验证来自Identity Server的form_post没有到达提琴手中的应用程序,调试OpenID事件和每个请求,然后得到nada。
app.Use(async (context, next) =>
{
if (!context.User.Identity.IsAuthenticated)
{
// look to see if bearer is present instead of cookies
string auth = context.Request.Headers["Authorization"];
if (string.IsNullOrEmpty(auth) || !auth.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
// request needs to be authenticated
await context.ChallengeAsync();
}
else
{
await next();
}
}
else
{
// all is good, continue
await next();
}
});
Why is CORB blocking the initial request? 为什么CORB阻止了初始请求? Can it be a behavior in browser navigation versus refresh? 这可能是浏览器导航还是刷新行为?
Here's the client configuration with the events I'm debugging: 这是客户端配置,其中包含我正在调试的事件:
services.AddAuthentication(opts =>
{
opts.DefaultChallengeScheme = "oidce";
opts.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(opts =>
{
opts.SessionStore = new MemoryCacheTicketRepository();
opts.ExpireTimeSpan = TimeSpan.FromHours(2);
})
.AddIdentityServerAuthentication("Bearer", opts =>
{
...
})
.AddOpenIdConnect("oidce", opts =>
{
...
opts.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents()
{
OnAuthenticationFailed = async p =>
{
var test = p;
},
OnAuthorizationCodeReceived = async p =>
{
var test = p;
},
OnMessageReceived = async p =>
{
var test = p;
},
OnRemoteFailure = async p =>
{
var test = p;
},
OnTicketReceived = async p =>
{
var test = p;
},
OnTokenResponseReceived = async p =>
{
var test = p;
},
OnTokenValidated = async p =>
{
var test = p;
}
};
});
Since there's no difference in the headers present on a good or a bad response I'm guessing 'Access-Control-Allow-Headers' with 'Content-Type' isn't the issue. 由于响应的好坏之间的标头没有区别,我猜这不是'Content-Type' 'Access-Control-Allow-Headers' 。 What could it be? 会是什么呢?
1 个解决方案
解决方案1
0 2019-01-25 10:29:17
Following Vidmantas Blazevicius comments I tried adding CSPS headers and it actually worked. 按照Vidmantas Blazevicius的评论,我尝试添加CSPS标头,并且它确实有效。
Small gotcha, at first I applied the headers in the ASP CORE application which serves the SPA. 小问题,首先,我在为SPA服务的ASP CORE应用程序中应用了标头。
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy",
"default-src 'self' https://localhost:5000; script-src 'unsafe-eval'; script-src-elem 'unsafe-inline';");
if (!context.User.Identity.IsAuthenticated)
{
// look to see if bearer is present instead of cookies
string auth = context.Request.Headers["Authorization"];
if (string.IsNullOrEmpty(auth) || !auth.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
// request needs to be authenticated
await context.ChallengeAsync();
}
else
{
await next();
}
}
else
{
// all is good, continue
await next();
}
});
That didn't really seem to do the trick so I tried adding it to index.html that the app was serving. 这似乎并没有解决问题,所以我尝试将其添加到该应用程序正在服务的index.html中。
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://localhost:5000; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;">
And so far it seems like it actually works. 到目前为止,它似乎确实有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.