建议在 OIDC 中间件中验证状态参数并可能拒绝请求的位置在哪里?
OnRedirectToIdentityProvider = (RedirectContext context) =>
{
context.ProtocolMessage.State = "ENCODED_STATE_PARAMETER";
return Task.CompletedTask;
}
谢谢, 鲁本
最佳答案
在深入研究 OIDC 源代码后,我找到了这个解决方案,
options = new OpenIdConnectOptions()
// ...
options.ProtocolValidator = new MyOIDCProtocalValidator();
public sealed class MyOIDCProtocalValidator: OpenIdConnectProtocolValidator
{
public MyOIDCProtocalValidator(): base()
{
// not sure if these are needed
base.RequireState = true;
base.RequireStateValidation = true;
}
protected override void ValidateState(OpenIdConnectProtocolValidationContext validationContext)
{
// validate state here
// if(valid) do nothing
// else throw new OpenIdConnectProtocolInvalidStateException();
}
}
关于asp.net-mvc - Asp.net Core OpenIdConnect (OIDC) 在哪里验证状态参数,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62648864/