I have the following AuthorizationRequirement
and AuthorizationHandler
that is registered with DI and is working just fine. However, when an action with [Authorize(Policy = "ConfirmedEmail")]
is called within an iframe (same origin), context.User.Identity.Name
is allways NULL and therefore so is user
. Does anyone have any idea why this is, and more importantly how to fix it?
When the exact same action is called directly (outside an iframe), context.User.Identity.Name
is correct and the user lookup succeeds.
public class ConfirmedEmailRequirement : IAuthorizationRequirement { }
public class ConfirmedEmailHandler : AuthorizationHandler<ConfirmedEmailRequirement>
{
private readonly UserManager<User> _userManager;
public ConfirmedEmailHandler(UserManager<User> userManager)
{
_userManager = userManager;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ConfirmedEmailRequirement requirement)
{
var user = await _userManager.GetUserAsync(context.User);
if (user?.EmailConfirmed == true)
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
}
}
UPDATE : I have noticed that although both iframe and non iframe request have the same session cookie, the non iframe request includes a Core.Identity.Application
cookie, the iframe request does not. I don't know the significance of this or what is causing it.
I finally managed to get identity to work within an iframe using the following:
services.ConfigureApplicationCookie(options => {
options.Cookie.Name = "MyAuthCookie";
options.Cookie.SameSite = SameSiteMode.None; //<THIS!!!
});
Hope this saves someone a lot of head scratching some day.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.