Asp.net 4.8 WebForms授权使用Owin OpenId Connect Authentication (app.UseOpenIdConnectAuthentication)

Question

I am encountering an infinite redirect loop between login.microsoftonline.com and my application.我在 login.microsoftonline.com 和我的应用程序之间遇到无限重定向循环。 My project is implementing authentication and authorization in an Asp.net 4.8 web forms project.我的项目是在 Asp.net 4.8 Web 窗体项目中实现身份验证和授权。 I am able to add authentication using the default Owin startup file and then require authentication in the web config file.我可以使用默认的 Owin 启动文件添加身份验证，然后在 Web 配置文件中要求身份验证。 The below works correctly for requiring a user to sign in before being able to access pages/AuthRequired以下内容可以正常工作，要求用户在能够访问pages/AuthRequired之前先登录

StartupAuth.CS StartupAuth.CS

public partial class Startup
    {
        private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
        private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
        private static string authority = ConfigurationManager.AppSettings["ida:Authority"];
        private static string clientSecret = ConfigurationManager.AppSettings["AppRegistrationSecret-Local"];
        public void ConfigureAuth(IAppBuilder app)
        {
            //for debugging
            //IdentityModelEventSource.ShowPII = true;

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,
                    PostLogoutRedirectUri = postLogoutRedirectUri,
                    ClientSecret = clientSecret,
                    RedirectUri = postLogoutRedirectUri,
                    //This allows multitenant
                    //https://github.com/Azure-Samples/guidance-identity-management-for-multitenant-apps/blob/master/docs/03-authentication.md
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = false
                    },

                    Notifications = new OpenIdConnectAuthenticationNotifications()
                    {
                        AuthenticationFailed = (context) =>
                        {
                            return Task.FromResult(0);
                        }
                    }
                }
                );

            // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
            app.UseStageMarker(PipelineStage.Authenticate);
        }
    }

Web.Config网页配置

<configuration>
...
    <system.web>
        <authentication mode="None" />
    </system.web>
    <location path="Pages/AuthRequired">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
    </location>
    <system.webServer>
        <modules>
            <remove name="FormsAuthentication" />
        </modules>
    </system.webServer>
...
</configuration>

I need to add authorization so that only users with the admin role will be able to access Pages/AuthRequired .我需要添加授权，以便只有具有管理员角色的用户才能访问Pages/AuthRequired 。 I have done that by updating the web config:我通过更新网络配置来做到这一点：

<configuration>
...
    <system.web>
        <authentication mode="None" />
    </system.web>
    <location path="Pages/AuthRequired">
        <system.web>
            <authorization>
                <allow roles="Admin" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
    <system.webServer>
        <modules>
            <remove name="FormsAuthentication" />
        </modules>
    </system.webServer>
...
</configuration>

Adding authorization to the authenticated page works correctly if the user has that role, but if a user who doesn't have the role tries to access the page they are redirected back to login.microsoftonline.com and then back to the application in an infinite loop.如果用户具有该角色，则向经过身份验证的页面添加授权可以正常工作，但如果没有该角色的用户尝试访问该页面，他们将被重定向回 login.microsoftonline.com，然后无限期地返回到应用程序环形。

I can see that Owin UseOpenIdConnectAuthentication is returning a 302 response on unauthorized and that is causing the loop.我可以看到 Owin UseOpenIdConnectAuthentication 在未经授权时返回 302 响应，这导致了循环。

How can I change it so that instead of redirecting unauthorized (but authenticated) users to login.microsoftonline.com, that user should be directed to an app page that displays a 401 error?我该如何更改它，而不是将未经授权（但经过身份验证）的用户重定向到 login.microsoftonline.com，而是应将该用户定向到显示 401 错误的应用程序页面？

Answer 1

Please check if below work around helps:请检查以下解决方法是否有帮助：

Its usually possible that if forms authentication is enabled, you will be redirected to the login page when status code is 401.通常情况下，如果启用了forms authentication ，当状态代码为 401 时，您将被重定向到登录页面。

As a workaround try Adding the below to global.asax in the application end request and you can create own unauthorized page if needed and redirect to that.作为一种解决方法，请尝试在应用程序结束请求中将以下内容添加到 global.asax 中，如果需要，您可以创建自己的未经授权的页面并重定向到该页面。

if (this.Response.StatusCode == 302&& this.Response.StatusCode == 401 
        && this.Response.RedirectLocation.ToLower().Contains("login.aspx"))
      {
        this.Response.StatusCode = 401;
         //or Response.Redirect("Unauthorized.aspx");
      }

You can also check this > Redirect unauthorised user to message page in ASP.Net.您还可以检查此 > 将未经授权的用户重定向到 ASP.Net 中的消息页面。 (microsoft.com) （微软网站）

Other references其他参考资料

Answer 2

ASP.NET URL Authorization doesn't appear to interoperate well with OIDC (ie Azure AD). ASP.NET URL 授权似乎无法与 OIDC（即 Azure AD）很好地互操作。

First remove the URL Authorization from your Web.config:首先从您的 Web.config 中删除 URL 授权：

<configuration>
...
    <system.web>
        <authentication mode="None" />
    </system.web>
    <location path="Pages/AuthRequired">
        <system.web>
--            <authorization>
--                <allow roles="Admin" />
--                <deny users="*" />
--            </authorization>
        </system.web>
    </location>
    <system.webServer>
        <modules>
            <remove name="FormsAuthentication" />
        </modules>
    </system.webServer>
...
</configuration>

Optionally make authenticated required for all pages globally:可选地使全局所有页面都需要经过身份验证：

    <system.web>
      <deny users="?" />
    </system.web>

You can override this behaviour with <Allow users="?" />您可以使用<Allow users="?" />覆盖此行为<Allow users="?" /> for specific pages ie logins/logouts/erorr pages/etc. <Allow users="?" />用于特定页面，即登录/注销/错误页面/等。

Second add authorization logic to your AuthRequired.aspx page:其次将授权逻辑添加到您的AuthRequired.aspx页面：

public partial class AuthRequired {
  protected void Page_Load(object sender, EventArgs e)
  {
    Authorization.AuthorizeAuthRequiredPage();
    ...
  }
}

public static class Authorization
{
  public static void AuthorizeAuthRequiredPage()
  {
    if (!Authorized(HttpContext.User))
    {
      Redirect("/Anauthorized.aspx");
    }
  }

  private static bool Authorized(User user) => { ... }
}

Asp.net 4.8 WebForms授权使用Owin OpenId Connect Authentication (app.UseOpenIdConnectAuthentication)

问题描述

2 个解决方案

解决方案1
0 2022-04-24 13:22:35

解决方案2
0 2022-12-16 16:00:21

Asp.net 4.8 WebForms授权使用Owin OpenId Connect Authentication (app.UseOpenIdConnectAuthentication)

问题描述

2 个解决方案

解决方案1 0 2022-04-24 13:22:35

解决方案2 0 2022-12-16 16:00:21

解决方案1
0 2022-04-24 13:22:35

解决方案2
0 2022-12-16 16:00:21