ASP.NET CORE 3.1：Azure AD 身份验证在 EDGE 中失败。身份验证期间无限重定向循环和页面重新加载

Question

我对 chrome 没有任何问题。这是我面临问题的边缘浏览器。我试图清除缓存。已删除 cookie。重置浏览器。没有任何效果。我在登录时不断收到无限循环。它最终失败并显示消息 “我们无法让您登录。请重试。”。任何帮助表示赞赏。

public void ConfigureServices(IServiceCollection services)
        {
            services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder.AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader());
            });

            services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                options.Events.OnRedirectToIdentityProviderForSignOut = async context =>
                {
                    Console.WriteLine("intercepted");
                };
            });

            var azureAd = new AzureAd();
            Configuration.GetSection("AzureAd").Bind(azureAd);
            services.AddControllersWithViews();

            services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
                .AddAzureAD(options => Configuration.Bind("AzureAd", options));

             var url = "https://abc.xyz.com/platform/signin-oidc";
            //var url = "https://localhost:5001/platform/signin-oidc";

            services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.SaveTokens = true;


                options.Events = new OpenIdConnectEvents
                {

                    OnRedirectToIdentityProvider = async context =>
                    {
                        context.ProtocolMessage.RedirectUri = url;

                        //context.Response.Headers.Add("Referrer-Policy", "no-referrer");
                        await Task.FromResult(0);
                    }
                };
            });

        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {

            app.UseCors("CorsPolicy");

            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();
            //app.UseCookiePolicy();
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                                   name: "default",
                                   pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapControllerRoute(
                    name: "platform",
                    pattern: "/platform/{controller=Home}/{action=Index}/{id?}");


            });
        }

编辑

我确实在开发者工具的网络标签中看到了这个：

Answer 1

问题是因为 AD 发回的令牌存储在 cookie 中。并且 cookie 被阻止，因为它没有安全属性。

它没有安全属性，因为应用程序部署在 Kubernetes 集群上，并且前门和应用程序之间的通信是 http 而不是 https。 因此，为了强制使用安全 cookie，我必须在 public void Configure(IApplicationBuilder app, IWebHostEnvironment env) 中添加以下内容：

        app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        });

        app.Use(async (context, next) =>
        {
            if (context.Request.Host.Host.ToLower() != "localhost")
                context.Request.Scheme = "https";
            await next.Invoke();
        });