[英]Load Balancer “Invalid HTTP request for token endpoint”
我在負載均衡器后面有一個IdentityServer問題,
為了清楚我是否使用直接的ips,evertything按預期工作。
目前我在LB上有一個SSL配置,其中包含一個有效的證書,該證書可重定向到托管在2台Linux機器上的HTTP docker-engines。
我在我的客戶端上使用MVC混合流程:
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = settings.Server,
RequireHttpsMetadata = "false",
ClientId = "MyMvcClient",
ClientSecret = "MyMvcSuperPassword",
ResponseType = "code id_token",
GetClaimsFromUserInfoEndpoint = true,
SaveTokens = true,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
},
Events = new OpenIdConnectEvents()
{
OnRemoteFailure = context =>
{
context.Response.Redirect("/error");
context.HandleResponse();
return Task.FromResult(0);
}
},
"Scope": { "openid", "profile", "email", "myclient", "offline_access" }
});
在服務器端,我有以下設置:
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<IdentityDbContext>(builder);
services.AddIdentity<ApplicationUser, ApplicationRole>()
.AddEntityFrameworkStores<IdentityDbContext, Guid>()
.AddUserStore<UserStore<ApplicationUser, ApplicationRole, IdentityDbContext, Guid>>()
.AddRoleStore<RoleStore<ApplicationRole, IdentityDbContext, Guid>>()
.AddUserManager<LdapUserManager>()
.AddSignInManager<LdapSignInManager>()
.AddDefaultTokenProviders()
.AddIdentityServerUserClaimsPrincipalFactory();
...
string redisSettings = $"{redisHost}:{redisPort},ssl={redisSsl},abortConnect={redisAbortConnect},password={redisPassword}";
services.AddDataProtection().PersistKeysToRedis(redis, redisKey);
...
// Adds IdentityServer
services.AddIdentityServer()
.AddSigningCredential(new X509Certificate2("IdentityServerAuth.pfx"))
.AddConfigurationStore(builder)
.AddOperationalStore(builder)
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<IdentityProfileService>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IServiceProvider serviceProvider)
{
app.UseIdentity();
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
// Adds IdentityServer
app.UseIdentityServer();
}
正如我已經提到的,它適用於沒有Load Balancer的配置,但客戶端失敗並顯示錯誤“Message contains error:'invalid_request',error_description:'error_description為null',error_uri:'error_uri為null'。”
在服務器端,我收到信息:IdentityServer4.Hosting.IdentityServerMiddleware [0]調用IdentityServer端點:IdentityServer4.Endpoints.TokenEndpoint for / connect / token warn:IdentityServer4.Endpoints.TokenEndpoint [0]無效的令牌端點的HTTP請求
我已經解決了這個問題。 找到的解決方案是跟蹤Request.HttpContext.Connection.RemoteIpAddress它是無效的,並且等於負載均衡器的IP。 所以解決方案是使用以下方法添加Ip:
options.KnownProxies.Clear();
options.KnownProxies.Add(IPAddress.Parse("LoadBalancer IP"));
app.UseForwardedHeaders(options);
或通過掩碼,例如192.168.1.0/8:
options.KnownNetworks.Clear();
options.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("192.168.1.0"), 8));
app.UseForwardedHeaders(options);
在這種情況下,客戶端的IP將傳遞給身份服務器,您將不會收到異常:
Invalid HTTP request for token endpoint
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.