我正在运行一个 ASP.NET MVC (4.7.2) web 应用程序。我使用带有混合流的 Identity Server 4 实例进行外部身份验证。
在测试 Firefox 的新“缺少 SameSite 默认为 LAX”功能时,他没有将 LAX OpenIdConnect.Nonce cookie 发送回我的 MVC Web 应用程序:
图 1:所有 cookie 都有 Lax
图 2:POST 到 时未提供 cookie登录-oidc
我收到错误:
OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
我尝试了一些方法来确保所有 cookie 至少具有 None 或 Unspecified 设置,但是这个 OpenIdConnect.Nonce cookie 一直坚持在 LAX。
app.UseKentorOwinCookieSaver();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
CookieSameSite = SameSiteMode.None,
CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = configDetails.IdentityProviderUrl,
AuthenticationType = "Cookies",
ClientId = configDetails.ClientId,
Scope = configDetails.Scope,
ResponseType = "id_token code",
RedirectUri = !string.IsNullOrWhiteSpace(configDetails.RedirectUri) ? configDetails.RedirectUri : "~/",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = AuthorizationCodeReceived,
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType != Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectRequestType.Logout) return Task.FromResult(0);
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
return Task.FromResult(0);
}
},
CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),
});
在我的 web.config 中,我添加了:
<system.web>
<httpCookies sameSite="None" requireSSL="true" />
</system.web>
我正在使用来自 Microsoft MSDN 的 SameSiteCookieManager .
我希望有人可以帮助我将此 OpenIdConnect.Nonce cookie 设置为无或未指定。
提前谢谢了!
最佳答案
我通过附加到 RedirectToIdentityProvider 并从那里手动设置它解决了 SameSite 问题。像这样的东西:
RedirectToIdentityProvider = async n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
{
var nonceKey = HttpContext.Current.Response.Cookies.AllKeys.Where(x => x.Contains("nonce")).FirstOrDefault();
if (nonceKey != null)
{
var nonce = HttpContext.Current.Response.Cookies.Get(nonceKey);
nonce.SameSite = SameSiteMode.None
}
}
关于asp.net - 如何在 .NET 4.7.2 上为 OWIN OpenIdConnect.Nonce cookie 将 SameSite 值设置为 None 或 Undefined,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60002725/