asp.net - 如何在 .NET 4.7.2 上为 OWIN OpenIdConnect.Nonce cookie 将 SameSite 值设置为 None 或 Undefined

Question

我正在运行一个 ASP.NET MVC (4.7.2) web 应用程序。我使用带有混合流的 Identity Server 4 实例进行外部身份验证。

在测试 Firefox 的新“缺少 SameSite 默认为 LAX”功能时，他没有将 LAX OpenIdConnect.Nonce cookie 发送回我的 MVC Web 应用程序:

图 1:所有 cookie 都有 Lax



图 2:POST 到 时未提供 cookie登录-oidc



我收到错误:

OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

我尝试了一些方法来确保所有 cookie 至少具有 None 或 Unspecified 设置，但是这个 OpenIdConnect.Nonce cookie 一直坚持在 LAX。

app.UseKentorOwinCookieSaver();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    CookieSameSite = SameSiteMode.None,
    CookieManager = new SameSiteCookieManager(new SystemWebCookieManager())
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = configDetails.IdentityProviderUrl,
    AuthenticationType = "Cookies",
    ClientId = configDetails.ClientId,
    Scope = configDetails.Scope,
    ResponseType = "id_token code",
    RedirectUri = !string.IsNullOrWhiteSpace(configDetails.RedirectUri) ? configDetails.RedirectUri : "~/",
    SignInAsAuthenticationType = "Cookies",
    UseTokenLifetime = false,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        AuthorizationCodeReceived = AuthorizationCodeReceived,
        RedirectToIdentityProvider = n =>
        {
            if (n.ProtocolMessage.RequestType != Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectRequestType.Logout) return Task.FromResult(0);

            var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
            if (idTokenHint != null)
            {
                n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
            }
            return Task.FromResult(0);
        }
    },
    CookieManager = new SameSiteCookieManager(new SystemWebCookieManager()),
});

在我的 web.config 中，我添加了:

<system.web>
  <httpCookies sameSite="None" requireSSL="true" />
</system.web>

我正在使用来自 Microsoft MSDN 的 SameSiteCookieManager .

我希望有人可以帮助我将此 OpenIdConnect.Nonce cookie 设置为无或未指定。

提前谢谢了!

Answer 1

我通过附加到 RedirectToIdentityProvider 并从那里手动设置它解决了 SameSite 问题。像这样的东西:

RedirectToIdentityProvider = async n =>
{
    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
    {
        var nonceKey = HttpContext.Current.Response.Cookies.AllKeys.Where(x => x.Contains("nonce")).FirstOrDefault();
        if (nonceKey != null)
        {
            var nonce = HttpContext.Current.Response.Cookies.Get(nonceKey);
            nonce.SameSite = SameSiteMode.None
        }
    }