我有两个受 Azure AD 保护的 ASP.NET Core Web 应用程序(使用相同的应用程序注册 ID)。如果我登录其中一个,另一个的身份验证流程就会中断,但反之则不会。
我认为这与身份验证 cookie 有关,并且管理应用程序会选择为门户应用程序创建的 cookie。如果这个假设是正确的,我如何确保应用程序不使用彼此的 cookie?
设置
- 应用 1,具有 fork 管道的门户
- http://localhost:5001/ (没有授权,只是一个信息页面)
- http://localhost:5001/portal (aad 身份验证)
- 应用程序 2,管理页面
- https://localhost:6001/admin (aad 身份验证)
测试用例
OK : Load Admin and log in
OK : Load Portal and log in
NOK: Load the Portal and log in, navigate to Admin (auth loop)
NOK: Load Admin and log in,
navigate to Portal (credentials not requested, reusing the cookie i guess),
reload Admin (auth loop)
管理应用程序报告以下错误并创建身份验证重定向循环。 Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:信息:Cookie 未经过身份验证。失败消息:取消保护票证失败
门户应用程序的 Startup.cs
public class Startup
{
public Startup( IConfiguration configuration )
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices( IServiceCollection services )
{
services.AddAuthentication( o =>
{
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
).AddOpenIdConnect( o =>
{
o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.ClientId = "same-for-both-apps";
o.CallbackPath = "/portal/signin-oidc";
o.Authority = "https://login.windows.net/common";
o.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role,
ValidateIssuer = false,
};
}
).AddCookie( options =>
{ options.AccessDeniedPath = new PathString( "/Account/AccessDenied" ); } );
services.AddMvc( o =>
{
o.Filters.Add( new AuthorizeFilter(
new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build() ) );
}
).SetCompatibilityVersion( CompatibilityVersion.Version_2_2 );
}
public void Configure( IApplicationBuilder app, IHostingEnvironment env )
{
app.MapWhen( IsTargetingPortal, HandlePortalRequest );
app.Run( async ctx =>
{
await ctx.Response.WriteAsync( "Default: info page" );
} );
}
bool IsTargetingPortal( HttpContext ctx )
{
return ctx.Request.Path == "/portal/signin-oidc" ||
ctx.Request.Path == "/portal" ||
ctx.Request.Host.Host.StartsWith( "portal." );
}
void HandlePortalRequest( IApplicationBuilder builder )
{
builder.UseAuthentication();
builder.UseMvc( routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}" );
} );
}
}
管理应用的 Startup.cs
public class Startup
{
public Startup( IConfiguration configuration )
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices( IServiceCollection services )
{
services.AddAuthentication( o =>
{
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
).AddOpenIdConnect( o =>
{
o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.ClientId = "same-for-both-apps";
o.Authority = "https://login.windows.net/common";
o.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role,
ValidateIssuer = false,
};
}
).AddCookie( options =>
{ options.AccessDeniedPath = new PathString( "/Account/AccessDenied" ); } );
services.AddMvc( o =>
{
o.Filters.Add( new AuthorizeFilter(
new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build() ) );
}
).SetCompatibilityVersion( CompatibilityVersion.Version_2_2 );
}
public void Configure( IApplicationBuilder app, IHostingEnvironment env )
{
app.UsePathBase( "/admin" );
if( env.IsDevelopment() )
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler( "/Error" );
app.UseHsts();
}
app.UseAuthentication();
app.UseMvc();
}
}
最佳答案
这需要在 Azure AD 门户中单独注册这两个应用程序。这将为您提供不同的客户端 ID。为每个应用程序使用不同的客户端 ID。
关于c# - 使用两个应用程序时的 Azure AD 身份验证重定向循环(cookie 错误),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56974456/