net.core/asp.net identity/openid connect中的关联失败
Aug*_*iaz 3 c# azure-active-directory asp.net-core
我在Azure AD用户登录时遇到此错误(之后我能够获得用户的声明),我使用OpenIdConnect的组合,与net.net身份核心的net.core 2.0相结合
处理请求时发生未处理的异常.例外:关联失败.Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler + d__12.MoveNext()
追踪:
例外:关联失败.Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler + d__12.MoveNext()System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)System.Runtime.CompilerServices.TaskAwaiter.GetResult()Microsoft. AspNetCore.Authentication.AuthenticationMiddleware + d__6.MoveNext()System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware + d__7.MoveNext()
这是我的Startup.cs:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using BPT.PC.IdentityServer.Data;
using BPT.PC.IdentityServer.IdentityStore;
using BPT.PC.IdentityServer.Models;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
namespace BPT.PC.IdentityServer.Web
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentity<User, Role>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddDefaultTokenProviders();
services.AddMemoryCache();
services.AddDistributedMemoryCache();
services.AddDbContext<IdentityServerDb>(options => options.UseSqlServer(Configuration.GetConnectionString("IdentityServerDb")));
services.AddMvc();
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("AzureAD", opts =>
{
Configuration.GetSection("OpenIdConnect").Bind(opts);
opts.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(120);
opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opts.CorrelationCookie = new Microsoft.AspNetCore.Http.CookieBuilder
{
HttpOnly = false,
SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None,
SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.None,
Expiration = TimeSpan.FromMinutes(10)
};
opts.Events = new OpenIdConnectEvents()
{
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider,
OnRemoteFailure = OnRemoteFailure,
OnAuthorizationCodeReceived = OnAuthorizationCodeReceived
};
//opts.Events = new OpenIdConnectEvents
//{
// OnAuthorizationCodeReceived = ctx =>
// {
// return Task.CompletedTask;
// }
//};
});
//services.ConfigureApplicationCookie(options =>
//{
// // Cookie settings
// options.Cookie.HttpOnly = true;
// options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
// options.SlidingExpiration = true;
//});
}
private Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedContext arg)
{
return Task.FromResult(0);
}
private Task OnRemoteFailure(RemoteFailureContext arg)
{
return Task.FromResult(0);
}
private Task OnRedirectToIdentityProvider(RedirectContext arg)
{
return Task.FromResult(0);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Account}/{action=Login}/{id?}");
});
}
}
}
我的appsettings.json:
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Warning"
}
},
"ConnectionStrings": {
"IdentityServerDb": "Server=localhost;Database=IdentityServer;Trusted_Connection=True;MultipleActiveResultSets=true"
},
"OpenIdConnect": {
"ClientId": "xxxxx",
"Authority": "https://login.microsoftonline.com/xxxxx/",
"PostLogoutRedirectUri": "/Account/SignoutOidc",
"CallbackPath": "/Account/SigninOidc",
"UseTokenLifetime": true,
"RequireHttpsMetadata": false,
//"ResponseType": "code id_token",
"ClientSecret": "xxx",
"Resource": "https://graph.microsoft.com/"
}
}
并实施:
[HttpGet]
public IActionResult CorpLogin()
{
var authProperties = _signInManager
.ConfigureExternalAuthenticationProperties("AzureAD",
Url.Action("SigninOidc", "Account", null, Request.Scheme));
return Challenge(authProperties, "AzureAD");
}
[HttpPost]
public IActionResult SigninOidc([FromForm]object data)
{
//this never runs
return Ok();
}
dbr*_*ing 68
如果您针对本地主机使用 Chrome,您可能会遇到 Chrome cookie 处理行为的变化。
要进行验证,请导航到 chrome://flags/ 并将“没有 SameSite 的 Cookies 必须是安全的”更改为“已禁用”。
如果该更改修复了问题,并且您想永久修复它(即不依赖于 chrome 标志修复),则该 thinktecture 帖子将讨论潜在问题以及旧 iOS Safari 版本所需的一些修复。
tte*_*yco 28
我遇到了一个非常相似的问题,整个线程中发布的答案都不适合我。我将描述我是如何找到解决方案的,以防它可以帮助其他人。
ConfigureServices就我而言,我有一个带有 ASP.NET Core 3.1(从 1.x 迁移)的 Web 应用程序,并使用方法中的以下代码片段实现了身份验证Startup.cs(如此处所述):
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
正如此处所示,抛出的错误具有比该线程中描述的更简单的堆栈跟踪。
最后,问题是cookie 没有被设置为安全的。为此,我只是在services.AddAuthentication上面粘贴的代码之前添加了以下代码片段。
services.Configure<CookiePolicyOptions>(options =>
{
options.Secure = CookieSecurePolicy.Always;
});
此外,我在 中的方法中的app.UseCookiePolicy()调用之前添加了对 的调用。app.UseRouting()Configure()Startup.cs
- 这!这个答案就在这里!我花了几个小时试图解决这个相关性失败的问题,但没有任何效果。但是这个解决方案,以及非常好的和简单的分步指南为我解决了这个问题。谢谢你! (3认同)
Jam*_*mes 10
我在 Chrome 上的 Blazor 中使用 .net Identity 使用 Google 登录时遇到了这个问题。我有一个新的要求,让它在没有 https 的情况下工作,它在 https 上工作得很好。
我在多个答案中阅读了更改为
app.UseCookiePolicy(new CookiePolicyOptions()
{
MinimumSameSitePolicy = SameSiteMode.None
});
我希望我能早点阅读@dbruning 的回答文章。它在其他任何地方都没有提到的文章中提到:Please note: The setting SameSite=None will only work if the cookie is also marked as Secure and requires a HTTPS connection.该方法的智能感知摘要没有提到这一点,我认为它绝对应该......
所以在那之后我只是尝试使用SameSiteMode.Lax它,它再次对我有用。默认 blazor 项目 startup.cs 不需要其他更改
app.UseCookiePolicy(new CookiePolicyOptions()
{
MinimumSameSitePolicy = SameSiteMode.Lax
});
- 这为我解决了这个问题。因为我不会向外界公开我的身份服务器(keycloak),所以我不想白白设置 HTTPS。谢谢@詹姆斯! (2认同)
我终于找到了解决方案,我会在这里发布,以防有人遇到类似的问题.
看起来主要的问题是我的重定向URI与CallBackPath相同:
"CallbackPath":"/ Account/SigninOidc"
var authProperties = _signInManager .ConfigureExternalAuthenticationProperties("AzureAD",Url.Action("SigninOidc","Account",null,Request.Scheme));
好吧,这是我更正的Startup.cs:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using BPT.PC.IdentityServer.Data;
using BPT.PC.IdentityServer.IdentityStore;
using BPT.PC.IdentityServer.Models;
using BPT.PC.IdentityServer.Web.Models;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
namespace BPT.PC.IdentityServer.Web
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentity<User, Role>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddDefaultTokenProviders();
services.AddMemoryCache();
services.AddDistributedMemoryCache();
services.AddDbContext<IdentityServerDb>
(options => options.UseSqlServer(Configuration.GetConnectionString("IdentityServerDb")));
services
.AddMvc();
services
.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
auth.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("AzureAD", "AzureAD", options =>
{
Configuration.GetSection("AzureAD").Bind(options); ;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(120);
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.RequireHttpsMetadata = false;
options.SaveTokens = true;
});
services.AddSingleton(Configuration.GetSection("OpenIdConnectProviderConfiguration").Get<OpenIdConnectProviderConfiguration>());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Account}/{action=Login}/{id?}");
});
}
}
}
最后的实施:
[HttpGet]
public IActionResult CorpLogin()
{
var authProperties = _signInManager
.ConfigureExternalAuthenticationProperties("AzureAD",
Url.Action("LoggingIn", "Account", null, Request.Scheme));
return Challenge(authProperties, "AzureAD");
}
appsettings.json是一样的.
仅供参考:我遇到了同样的问题,我花了将近 1 天的时间来调查这个问题。最后我发现从我的 startup.cs 中删除以下代码后,一切正常:
CookiePolicyOptions cookiePolicy = new CookiePolicyOptions()
{
Secure = CookieSecurePolicy.Always,
};
我正在与 Microsoft 支持团队跟进此事,如果得到任何回应,我会将其更新回来。
- 那么你收到MS的回复了吗? (6认同)
小智 5
当您尝试访问在 OIDC 设置中指定为“回调路径”的 URL 时,会发生这种情况。
要解决此问题,请将回调路径更改为“MyController/MyAction”之类的内容,它将重定向到您的特定 URL(在您的情况下为“/Account/SigninOidc”)。
| 归档时间: |
|
| 查看次数: |
7363 次 |
| 最近记录: |