尽管在本地主机上工作,但在部署到Azure时,Azure Active Directory始终会重定向到“〜/ .auth / login / done”
[英]Azure Active Directory always redirects to '~/.auth/login/done' when deployed to Azure despite working on localhost
问题描述
So I'm developing an ASP.NET Core app (.NET Core 2.0), hosted as App Service on Azure. 
因此,我正在开发一个ASP.NET Core应用程序(.NET Core 2.0),该应用程序在Azure上作为应用程序服务托管。 I want to implement authentication with Azure AD, using a single tenant (so only account from our company). 我想使用一个租户(因此仅来自我们公司的帐户)实现与Azure AD的身份验证。 I actually added all necessary code, registered the app and configured everything in App Service (at least I think so) and it even works without any problems when I run it locally. 实际上,我添加了所有必要的代码,注册了应用程序,并在App Service中配置了所有内容(至少我认为是这样),并且即使在本地运行它也可以正常工作。 The problem occur when I publish the app to Azure and try to log in there. 当我将应用程序发布到Azure并尝试在那里登录时,会发生问题。 Instead of being redirected to the view of my choice, I am being redirected to '~/.auth/login/done' and I see this: https://imgur.com/a/6OeKUNy 我没有被重定向到我选择的视图,而是被重定向到了“〜/ .auth / login / done”,并且看到了以下内容: https ://imgur.com/a/6OeKUNy
So as I said, I registered the app and added app url and reply urls, they look like this: 因此,正如我所说,我注册了该应用程序并添加了应用程序URL和回复URL,它们看起来像这样:
- [app_name].azurewebsites.net/.auth/login/aad/callback [app_name] .azurewebsites.net / .auth / login / aad / callback
- https://localhost:44359/.auth/login/aad/callback https:// localhost:44359 / .auth / login / aad / callback
I configured the app service itself in Authentication/Authorization section, with advanced settings. 我在“身份验证/授权”部分使用高级设置配置了应用程序服务本身。 Currently the fields Client Secret and Allowed token audiences are empty. 当前,“客户机密”和“允许的令牌受众”字段为空。 I don't want user to be authenticated right after he enters the website, but when he clicks a certain button, so I set "Allow anonymous requests(no action)". 我不希望用户在进入网站后立即获得身份验证,但是当他单击某个按钮时,我设置为“允许匿名请求(不执行任何操作)”。 I added necessary code for it to work: 我添加了必要的代码以使其正常工作:
AccountController: AccountController:
[Authorize]
[Route("[controller]/[action]")]
public class AccountController : Controller
{
private readonly OmsIntegrationContext _context;
private readonly IUserService _userService;
public AccountController(OmsIntegrationContext context, IUserService userservice)
{
_context = context;
_userService = userservice;
}
[HttpGet]
[AllowAnonymous]
public IActionResult LoginAzureAd(string returnUrl)
{
var redirectUrl = Url.Action(nameof(ChangeRequestController.Index), "ChangeRequest");
return Challenge(new AuthenticationProperties { RedirectUri = redirectUrl },
OpenIdConnectDefaults.AuthenticationScheme);
}
[HttpPost]
[ValidateAntiForgeryToken]
public async Task LogoutAzureAd()
{
if (User.Identity.IsAuthenticated)
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}
}
Startup.cs: Startup.cs:
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
x.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
x.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
var azureAdConfig = Configuration.GetSection("AzureAd");
options.Authority = azureAdConfig.GetValue<string>("Instance") +
azureAdConfig.GetValue<string>("Domain");
options.ClientId = azureAdConfig.GetValue<string>("ClientId");
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.CallbackPath = azureAdConfig.GetValue<string>("Callback");
options.SignedOutRedirectUri = "https://appname.azurewebsites.net/";
options.TokenValidationParameters.NameClaimType = "name";
options.UseTokenLifetime = true;
})
.AddCookie()
.AddSalesforceAuthentications(AuthConfigs);
services.ConfigureApplicationCookie(x =>
{
x.Cookie.Name = ".SalesForce.Cookie"; //This isn't my code. Could this cause problems?
});
Note: Generally salesforce auth is used in this project, Azure AD is supposed to function only for a certain module, for users who don't have SF account. 注意:通常在此项目中使用salesforce auth,对于没有SF帐户的用户,Azure AD应该仅对特定模块起作用。 It's not my idea, but I have to do that this way 这不是我的主意,但我必须这样做
appsettings.json: appsettings.json:
"AzureAd": {
"ClientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"TenantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXX.onmicrosoft.com",
"Callback": "/.auth/login/aad/callback"
}
What I want to achieve and what I have achieved when running on localhost is that when user enters the web app, he clicks a button, is authenticated with Azure AD using company account and the redirected to ~/ChangeRequest/Index. 我要实现的目标以及在本地主机上运行时要实现的目标是,当用户进入Web应用程序时,他单击一个按钮,并使用公司帐户通过Azure AD进行身份验证,然后重定向到〜/ ChangeRequest / Index。 But I cannot make it work after deploy. 但是部署后我无法使其正常工作。 I found similar issue here: 我在这里发现了类似的问题:
https://forums.asp.net/t/2155544.aspx?AAD+REPLY+URL+issue+signin+oidc+vs+auth+login+aad+callback+Azure+Government+ https://forums.asp.net/t/2155544.aspx?AAD+REPLY+URL+issue+signin+oidc+vs+auth+login+aad+callback+Azure+Government+
but the way this guy solved it is not an option for me. 但是这个人解决问题的方式对我来说不是一个选择。 Any ideas? 有任何想法吗?
1 个解决方案
解决方案1
0 2019-08-13 14:19:03
I managed to fix the issue. 我设法解决了这个问题。 Apparently one cannot configure this auth in App Service and in one's code at the same time. 显然,一个人无法同时在App Service和一个人的代码中配置此身份验证。 All I had to do was to turn off authentication on Azure Portal, in the Authentication/Authorization section of App Service. 我要做的就是在App Service的“身份验证/授权”部分中关闭Azure Portal上的身份验证。 It's my first question on stackoverflow and I don't really know if should delete this question. 这是我关于stackoverflow的第一个问题,我真的不知道是否应该删除此问题。 If so, then please tell me. 如果是这样,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.