IdentityServer3,Azure Active Directory 外部提供者,Message='Action 返回'System.Web.Http.Results.Unauthorized''

【问题标题】:IdentityServer3, Azure Active Directory External Provider, Message='Action returned 'System.Web.Http.Results.Unauthorized''IdentityServer3,Azure Active Directory 外部提供者,Message='Action 返回'System.Web.Http.Results.Unauthorized''
【发布时间】:2017-04-05 13:51:14
【问题描述】:

我看到 IdentityServer3 和外部提供程序的奇怪行为。我希望有人能够指出我遗漏的一些明显的东西。

总结

第一个外部登录请求设置浏览器等待请求返回,并导致以下错误仅通过日志记录可见。如果我在浏览器中取消请求并立即再次单击该按钮,它将按预期工作,浏览器被发送到外部登录屏幕。

配置

我已经根据一些参考资料和文档以及我可以确定的配置了 IDSrv3,以利用 Azure Active Directory。

 var wsFedOptions = new WsFederationPluginOptions(options);
    wsFedOptions.Factory.Register(new Registration<IEnumerable<RelyingParty>>(RelyingParties.Get()));
    wsFedOptions.Factory.RelyingPartyService = new Registration<IRelyingPartyService>(typeof(InMemoryRelyingPartyService));
    app.UseWsFederationPlugin(wsFedOptions);



 var aad = new OpenIdConnectAuthenticationOptions
            {
                AuthenticationType = "AzureAd",
                Caption = "Azure AD",
                SignInAsAuthenticationType = signInAsType,
                PostLogoutRedirectUri = Settings.LogoutRedirect,
                Authority = Settings.AADAuthority,
                ClientId = Settings.AADClientId,
                RedirectUri = Settings.AADRedirectUrl
            };

            app.UseOpenIdConnectAuthentication(aad);

在登录视图中,如预期的那样,我看到了上面标题 (Azure AD) 的外部登录按钮。第一次单击此按钮时,浏览器只是等待主机...

在日志中我发现了以下错误。


iisexpress.exe Information: 0 : 2017-04-05 08:28:09.708 -05:00 [Information] External login requested for provider: "AzureAd"
iisexpress.exe Information: 0 : 2017-04-05 08:28:09.714 -05:00 [Information] Triggering challenge for external identity provider
LibLog Information: 0 : [2017-04-05T13:28:09.7176576Z] Level=Info, Kind=End, Category='System.Web.Http.Action', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action returned 'System.Web.Http.Results.UnauthorizedResult'', Operation=ReflectedHttpActionDescriptor.ExecuteAsync
LibLog Information: 0 : [2017-04-05T13:28:09.7206611Z] Level=Info, Kind=End, Category='System.Web.Http.Action', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=ApiControllerActionInvoker.InvokeActionAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7216630Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action filter for 'LoginExternal(String signin, String provider)'', Operation=NoCacheAttribute.OnActionExecutedAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7226640Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=NoCacheAttribute.OnActionExecutedAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7226640Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action filter for 'LoginExternal(String signin, String provider)'', Operation=SecurityHeadersAttribute.OnActionExecutedAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7236655Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=SecurityHeadersAttribute.OnActionExecutedAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7246669Z] Level=Info, Kind=End, Category='System.Web.Http.Controllers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=AuthenticationController.ExecuteAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7251836Z] Level=Info, Kind=End, Category='System.Web.Http.MessageHandlers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=PassiveAuthenticationMessageHandler.SendAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7261856Z] Level=Info, Kind=End, Category='System.Web.Http.MessageHandlers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=DependencyScopeHandler.SendAsync, Status=401 (Unauthorized)
LibLog Information: 0 : [2017-04-05T13:28:09.7271879Z] Sending response, Status=401 (Unauthorized), Method=GET, Url=https://localhost:44396/identity/external?provider=AzureAd&signin=2d92dd18a6106c9b029eb8742d4117a1, Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Content-type='none', content-length=unknown'

浏览器将无限期地继续等待本地主机。 如果我停止请求并立即再次单击该按钮,一切都会按预期进行。

【问题讨论】:

  • IDSrv3 AuthenticatioinController.cs 中的错误似乎发生在第 330 行,就在之前的 context.Authentication.Challenget(authProp, provider) 然后这个方法立即返回 Unauthorized();

标签: c# authentication azure-active-directory identityserver3


【解决方案1】:

基于OpenIdConnectAuthenticationOptions,代码似乎是正确的。我还使用下面的代码使用 Azure AD 帐户登录 IdentityServer3,它对我来说效果很好:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        Log.Logger = new LoggerConfiguration()
            .MinimumLevel.Debug()
            .WriteTo.Trace()
            .CreateLogger();

        var users = new List<InMemoryUser>()
        {
            new InMemoryUser
            {
                Username="Jack", Password="Jack",
                Claims= new List<Claim>
                {
                    new Claim("name","Jack"),
                    new Claim("email","Jack@consoto.com"),
                    new Claim("role","Admin"),
                }
            }
        };

        var clients = new Client[]
        {
            new Client
            {
                ClientId="mvc",
                ClientName="MVC Demo Client",
                Flow=Flows.Implicit,
                RedirectUris=new List<string>
                {
                    "http://localhost:9000",
                    "http://localhost:1409/"
                },
                AllowedScopes=new List<string>
                {
                    "openid","email","profile","roles"
                }
            }
        };

        var scopes = new Scope[]
            {
                StandardScopes.OpenId,
                StandardScopes.ProfileAlwaysInclude,
                StandardScopes.EmailAlwaysInclude,
                new Scope
                {
                    Name="roles",
                    Claims=new List<ScopeClaim>
                    {
                        new ScopeClaim("role")
                    },
                    Type=ScopeType.Identity
                }
            };

        var factory = new IdentityServerServiceFactory();
        factory.UseInMemoryClients(clients);
        factory.UseInMemoryScopes(scopes);
        factory.UseInMemoryUsers(users);

        var cert = LoadCertificate();

        app.UseIdentityServer(new IdentityServerOptions
        {
            SiteName = "NDC Demo",
            SigningCertificate = cert,
            Factory = factory,
            AuthenticationOptions = new AuthenticationOptions
            {
                IdentityProviders = ConfigureAdditionalIdentityProviders,
                EnableAutoCallbackForFederatedSignout = true
            }
        });
    }

    public static void ConfigureAdditionalIdentityProviders(IAppBuilder app, string signInAsType)
    {
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "aad",
            Caption = "Azure AD",
            SignInAsAuthenticationType = signInAsType,

            Authority = "https://login.microsoftonline.com/04e14a2c-0e9b-42f8-8b22-3c4a2f1d8800",
            ClientId = "eca61fd9-f491-4f03-a622-90837bbc1711",
            RedirectUri = "https://localhost:44333/core/aadcb",
        });
    }

    static X509Certificate2 LoadCertificate()
    {
        var baseFolder = AppDomain.CurrentDomain.BaseDirectory;
        string certificatePath = $"{baseFolder}\\Certificates\\mycompanyname.pfx";
        return new X509Certificate2(certificatePath, "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
    }
}

然后我们可以通过以下请求与 IdentityServer3 交互:

https://localhost:44333/connect/authorize?response_type=id_token&amp;client_id=mvc&amp;redirect_uri=http://localhost:9000&amp;scope=openid+email+profile+roles&amp;nonce=123

请告诉我是否有帮助。

【讨论】:

  • 除了我使用 login.windows.net/[tenantID] 之外,我的配置中没有任何内容。就像我说的,它有效,但前提是我取消第一个请求。我怀疑 IDSrv3 是问题的根源,感谢您的努力。
【解决方案2】:

原来问题与 Katana OIDC MW 中的死锁错误有关。 解决方法是创建自定义 IConfigurationManager 并在启动时手动获取元数据。与 Thinktecture 提出的类似。

https://github.com/IdentityServer/IdentityServer3/blob/master/source/Host.Configuration/Extensions/SyncConfigurationManager.cs

替换 OpenIdConnectConfiguration



var manager = new SyncConfigurationManager(new ConfigurationManager &lt OpenIdConnectConfiguration &gt (Settings.AADAuthority + "/.well-known/openid-configuration"));

然后将管理器添加到 OpenIdAuthenticationOptions



    var aad = new OpenIdConnectAuthenticationOptions
                {
                    AuthenticationType = "AzureAd",
                    Caption = "Marquis Azure AD",
                    SignInAsAuthenticationType = signInAsType,
                    PostLogoutRedirectUri = Settings.LogoutRedirect,
                    Authority = Settings.AADAuthority,
                    ClientId = Settings.AADClientId,
                    RedirectUri = Settings.AADRedirectUrl,
                    ConfigurationManager = manager
                };

【讨论】:

    猜你喜欢
    • 2018-07-01
    • 1970-01-01
    • 2016-08-13
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2019-12-23
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode