我使用 OWIN 身份验证和 OpenID 来对 Azure AD 终结点进行身份验证。我的应用程序通常在 win-forms Web 浏览器控件中运行,我没有遇到任何问题。但是,当使用现代 Web 浏览器进行身份验证时,我在 Azure Active Directory 的响应重定向中的中间件 Next.Invoke(context) 中收到“nonce”异常。
我已经用控件和网络浏览器附加了响应 header 的 fiddler 。它们是不同的,但我希望能了解其中的原因。
网络浏览器控件和网络浏览器之间的哪些差异可能导致此问题?有解决方案/解决方法吗?
对于使用 IE 11 的网络浏览器控件,此操作成功,但对于 IE 11、Edge、Chrome 和 Firefox 则失败。
注意:JWT 在这两种情况下都包含随机数 token ,它不会在中间件中读取。
我正在使用:
Microsoft.Owin.Security.OpenIdConnect, Version=4.0.1.0
Microsoft.IdentityModel.Protocols.OpenIdConnect, Version=5.3.0.0
public class MyMiddleWare : OwinMiddleware
{
public override async Task Invoke(IOwinContext context)
{
try
{
await Next.Invoke(context);
...
错误
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException
HResult=0x80131500
Message=IDX21323: RequireNonce is '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Source=Microsoft.IdentityModel.Protocols.OpenIdConnect
StackTrace:
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<InvokeReplyPathAsync>d__16.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.<RunApp>d__7.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at ....<Invoke>d__5.MoveNext() in ...:line 29
成功
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: ffdb4ab7-a6b4-457e-b663-448727569900
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,228204.2529,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7jTNFH8tmqm9RCwduQg-S-Hg1JD5RJF6fmJ52lpVgyxkqYMpRP9IAURkUcO6yYTTJurmwF93DSyIr0GyvQmFO8ecuJra5gpBZcknhXnjHgMGZdW-IJg-maq9XPatsYpm_0vV7APXW89dnDq_rqOqXEIHYKBAUjAykyVlnq-2g0fN6UJhQbW0HcK78Fnu4ImfYqRWX7MmxILF3SXC9Ocmlphf22ThKPsZVJ2ZW7M7TaF7sBA94NokK75BWpOsYOeeBOX4VdJaJ3KQ2Qzx39cLNurZdlokZcv2QHhxif3FTBsFBlTRBeuHu2CZ5dRlG4n1DBRjCU4cgfXXkejKsQANLKGN3CFbZDPPlCfoZ3JVwrtWMCBUQRAnKI2k-CBgzY893M3dHHGdikMb6NfrlhIHxj7RUeVyeZNt655OYKz80SgEbsqOnXrEhs5uLipuotCCo0KlBD9c32N3wcEjtRcWccg5lhU9zj8j_BEmc0eDx-wWsayXyeFquHBUhtbi8nsaBzDyDwnr1m9JRfItjIy7CwmxmOkgdd0fs0I--Ge1qpFNq4dtcvN59iai9eBSPa6rU_iNFOwXcBvzickxhT5P9FQWEFtiXJqu2yCfiyr29nk_3lnERJmPKvH7w9mNhNOZhY1gftaYKRa41RVCaFvDZxJHYjHP5-Zt8kD9POHc6Q1DKF9auL2C6tH60UHPXyeaNb1WpVq_cni_RJ4b7IvsTni9fDhFWvBSgOdoIdfrXj6oO6KhkBX-IjIJ21NirfXGxLLYo_xU9d7vQsin9pfrWdipoXvwtPgANqysVw443-HwUvLhPTuXxGsDdv0HzrvtxzVidvY_ihN45KXR4LsYQDMRNvPlCGYVJDxc3OQfV1LEgACAAQAAQAgAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7RkRJgm8PalY-u9YYf_I67Wxc1rqqmcQjzhap-HvzYPcg57SXUcZdCfoXzfJrakxvqnrb2ZNo9C-ZHRotgvjLc2dW6cgdeWzR3HosW2wnq46QMLuM5_9PgkVqu618TY1YjbrGHJt-DrkqYBllosEsRgIn7vtJbIDUcbIX_lY1v3x_eZDvxDC54mXpu4ahOFb2PpcMWOhQc2FvpjlBYy7n6SAAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+53636a21-7ae1-44a-91b6-42bcae6e95b8; path=/; secure; SameSite=None
Set-Cookie: ch=so8u3S2kSqpfBZhYUj-R6A5pGKKa5C_O1x0BvcrUeo; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAACQNQBRU3jT6bcBQLZNUj7enEyqLfYUuELonMRUstbWJj7fo8pTcQpro4Nep0rWS5DEHS7CAeNTSacaPYMXV8117FRdTSbvvMTasm4xDvW754ejP38JWtrZYkzEgOR8GyYsywDES4s7Fh9p1Fy_m5ImVzc9weUEiDlc1yhXxSkDbDmnlv9-SjJUJmiespfBsaXtzQSrEQaPEpBT5PbY5J_oAFgzbSA0gmlO9yOWOVGOR7IsIm8L4HvgJl25zOJWRBDSHYe8uTsCyfclx9oW_iZeQ3qtgczWXpg4OSIJqB3NiAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAACQN9QBRU3jT6bcBQLZNUj7MpWzBN_CNnDvk5B7KLIuFNmpFhsjxyNrRZ7uaQBysuOYD52BW1DC2Rp5zZbk3RPFsZu0QKJeaCDiXBBgy7YMVKIquSviPZZfMIw1HPfm0s6Sf0lMfdgA0muXF6YFxneaZCsDq53lm6qYIlzUNhv39buD6xuCgtFl6d1OC84T65eGPSPPPBTJGO4un5QCVByDM0wbwYtXXr68c08cbT2U_ucgQ4tffRT-OUxKKlvz6nR3NcwD-Irn2Kn3Ay6_IBf7IAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Ajcv9X5TAupIu9O6f-Jaazeh6BYDAQAAAJmjNtUOAAAAVCafUwEAACZpjbVDgAAAMDn2V0DAAAA46Y21Q4AAAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=AQABAAAAAACQNQBRU3jT6bcBQLZNUj7rM2IjQVNxnrEqNXHtt2eNwsyLtgxftnSP3A1fpoRokG5weF27jPP4N4DTNZQI9-zxNnJXVD6jVR_FASWy6wvo-jYy0ddLCsC6upC3Y6n_YZSdCFixngM6Mnv3h4wAsPDbf6pzuUl7b0U8OoVe0zThFTTuQgprrs3XjHm9zEzlfAgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:29:09 GMT
Content-Length: 2650
失败
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: d8d44ea8-f12b-4f77-a25e-c1802adc7300
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: AADSSO=; expires=Sun, 13-Oct-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACN9QBRU3jT6bcBQLZNUj7Ng4kTNHEzlSGq4cyWxjUgjdQKPLQpDmPkulhBzsOCuvbmS0f1XHOHjqpDjRbTlT6r7VIjA0Gmsd6jlC2vcXMeifp2g1l5iUmaRS7sRA7XYoM1lRB6BB8sR1iNU8lL5G8Pff1qnDDe0O6Y5DE3yl_V02Cl_g_fifjTWGqG32JCUoXwknLW7gJi2k6GwVEq50rLqOYcSWpC72Q4bvtV1MY7CINWCUtpfse-gGcFYHmA67eGB8a4xwzvZnVfXdBHDvGuuqtDeXp1cprMCHYX9w3PAH1Ll7wVjZj4sUm0YWzm7G0gl9ngSqObM_vigH_KiXPsVoezhlBN_Xx0pkUpgbcTg2jCZ65xmSMkG_pegf28Zbyhpde-nqLB3_apx4_CJKr4BnJfklyRWvfZay5rtPJ70fpvP0KefPCyyE-liJxa47S6omJGr3IYZsmqlXQCGnYxgV7R2JFhdatTqiMuoKaTZGi_biglipMOKq0CIwBAOhQTlnAvO3TQInL2pKu96qbGo8f4wC6qzKnkGyPRenl66HZtZ1AAtkopLm-3AazYwYe_0Ex661018bmRQ439uy1p8otKT3ZnLaF2tjbAS5oXqCixevywawSsL-PhF69GYUgACAAQABQAQAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRUjT6bcBQLZNUj7OegOzQKPWPto8WclZJmDLwYNjiEsn4OirFaDPw1GEKee53a1iFcD3LuFzjBN3PXqHmju5Wsfusj3mNowv15IWyv5qVIsSxHYlA1ESmxtT-fZsiTpW7anVdEl43kycsgEDFYjROEA_OzMt5ZdnFIH1rv5h0v4SQCrPBrofk4YRZ8PnxC-L_hvgA3jr5-YVA13aRcZdzXqAj3idML1MuwlBmXpALitYwCHaMosawMXp3mvbGSS8ly0SuW5509E9MY3Vlk1ySPPgId3z0dfK6q0hq9rdUsr7d7AZyGkmDoxGT-zjNqbBGKw9SqN0q77NYpAZZuyqnJHgxcYAilPCBi208PZ6QKuwKKGHey3J3XwtRVaJ_uBU0Ksx3uZHYWWk2plqP3Agv2EJlwqhCkoWmNMGsN84GoijysmiWizFOWaeQHcnEnBDzm9dON2eqrdTdWFUZNc7SIoLp4vhTGS7hHhSDVatAiIZX_46bVFkxGAXty6ZEOLnth2q8zQ4SbSBuccv1l2oFLKmqli2hnE5CHUuAcXazhhXSCasCFRZRrAkscqIi7mcZ2YRMiEaYZn6H092LPji0leYDNCCasKLQ-Xt1N-oJ1_aVETetoAE5_KmSoi9RV3v4rWtXOAAGvEUcfdFCAof0yRocLmjatN4HV2aa6NnDTs8hPdO61u_WsJkBjuDh8nM5B4JljqxwC4WeoQdL5G6Mq10qI6FYKqVsVwkJEyKWU01v7n_xqBFUwDoDogACAAQACwAQAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+d098c80-efb8-4b0f-9ef3-eb50f58728f9; path=/; secure; SameSite=None
Set-Cookie: ch=M9_iBKa5h4GB9fhFhfjvoUmR0yjMYMpfKah1_rdomE; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAAQN9QBRU3jT6bcBQLZNUj74Z7ZEQzlF4uGSSwnUP9-Ja0eqL75M-YOBzwUWC_4Lu7A6LaJn0TBLvvMwdpkJbFLAIIGzUo8eMCLp0vXHNvrALsBRbAa1gwh7KB-M9BN-gD6nJjpKUk3tHqvFtg7c0vK6eNo4qY7r1dwIg__VOiz6aD_AN1FvNYDh-wONdgBOfLnEllftJJEZnXSwpJ6YuNGFVDZ3d4vCjAhR5Ph7IueNj783JtQEdNXVBERuIk7h6mwRqPy3lzkMhuZvtaG2359Jk93zIGAUVNb56ibCASbsCAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7g4TAdyzUlSo2ftZ1xNmrElg_4b6mDzvn_1n-8TExkhRaPr1e8skwnPVUggSoNHxL6SQsKWCa5j_E67GlrtdtB1qlEEKpPr-fgpGAjXSYt7lC6Qxms29L-q7kBEoD--ldp0MNTtuSbqyMqSWdzrfeMskcJx-D_GwYFVT46CGOtw4ScySBxVBWJ8JGuQJcAT6i1tuHzZO2TlOLliw_H7dOuYeiKGq2CbwTcMKFPydTuBSbTlfmRdIjQ3gBHmxTQ9qIAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Au_FFTZRMRlAl59trPoUI0iyECHoAgAAHynNtUOAAAAwOfZXQIAAACHpzbVDgAAAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:30:46 GMT
Content-Length: 2522
最佳答案
Asp.net OpenID Connect (OIDC) 中间件使用 nonce cookie 来防止安全重放攻击。正如错误所述,当应用程序在经过身份验证的请求中没有看到 nonce cookie 时,它会抛出上述异常。 Cookie 是基于域的,因此一旦为特定域设置了它们,只要它们仍然有效,对该域的所有后续请求都将包含这些 Cookie。
因此,请确保 Web 浏览器控件和 Web 浏览器身份验证域相同。
这里的解决方案是 redirect the request back to the same domain认证后原样使用。要控制 Azure AD 将经过身份验证的请求发送回应用程序的位置,请在下面的 ConfigureAuth 方法中设置 OpenIdConnectAuthentications.RedirectUri 属性。
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://www.contonso.com"
});
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
}
关于c# - Azure Active Directory OpenID 在 Web 浏览器中引发随机数异常,但不在 Web 浏览器控件中引发异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58382146/