在loadbalancer后面,自定义UserService失败

时间:2015-05-20 13:44:20

标签: thinktecture-ident-server thinktecture

我们有一个Identityserver v3,在负载均衡器后面有一个带有2因子身份验证的自定义UserService。它适用于我的机器:-)但部署到负载均衡环境时partialSigninAuthentication失败(我不确定它是否与loadbalaning有关,我只是假设。我们的v2也运行在相同的服务器上 - 没有问题)。

我使用示例impl中的证书,并使用RequireSSL = false(负载均衡器后面的http)

在我的TwoFactorController中,我打印一些调试,也许这有帮助吗?

Trace.WriteLine(JsonConvert.SerializeObject(ctx.Authentication.User));
var authentication = await ctx.Authentication.AuthenticateAsync(Constants.PartialSignInAuthenticationType);
// Problem is that this is null
if (authentication == null)
{
   return View("Error");
}

追踪日志:

w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:47 +00:00 -- Start discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start key discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:24:48 +00:00 -- Start authorize request protocol validation
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:25:01 +00:00 -- Authorize request validation success
 {
  "ClientId": "MvcTest1",
  "ClientName": "MvcTest1",
  "RedirectUri": "https://smi-test.myserver.net/TestMVC/",
  "AllowedRedirectUris": [
    "https://localhost:44311/TestMVC/",
    "https://smi-test.myserver.net/TestMVC/"
  ],
  "SubjectId": "unknown",
  "ResponseType": "id_token",
  "ResponseMode": "form_post",
  "Flow": "Implicit",
  "RequestedScopes": "sse_roles smi_profile openid profile",
  "State": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
  "Nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
  "Raw": {
    "client_id": "MvcTest1",
    "redirect_uri": "https://smi-test.myserver.net/TestMVC/",
    "response_mode": "form_post",
    "response_type": "id_token",
    "scope": "sse_roles smi_profile openid profile",
    "state": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
    "nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5"
  }
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.AuthorizeInteractionResponseGenerator]: 20.05.2015 13:25:01 +00:00 -- User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:25:01 +00:00 -- End authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Results.LoginResult]: 20.05.2015 13:25:01 +00:00 -- Redirecting to login page
Debug: [Thinktecture.IdentityServer.Core.Configuration.Hosting.MessageCookie`1]: 20.05.2015 13:25:01 +00:00 -- Protecting message: {"ReturnUrl":"http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5","ClientId":"MvcTest1","AcrValues":[],"Created":635677250886418395}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- Login page requested
Debug: [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- signin message passed to login: {
  "ReturnUrl": "http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
  "ClientId": "MvcTest1",
  "IdP": null,
  "Tenant": null,
  "LoginHint": null,
  "DisplayMode": null,
  "UiLocales": null,
  "AcrValues": [],
  "Created": 635677250886418395
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- rendering login page
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login page submitted
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login credentials successfully validated by user service
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- issuing cookie (partial login)
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- redirecting to: http://test.myserver.net/STSv3/TwoFactor/Index
w3wp.exe Information: 0 : TwoFactorController JsonConvert.SerializeObject(ctx.Authentication.User):
{"Claims":[],"Identities":[{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}],"Identity":{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}}

更新 我删除了部分登录,但仍然无法正常工作。这是IdServer的最后一个日志条目

[Thinktecture.IdentityServer.Core.Results.AuthorizeFormPostResult]: 21.05.2015 07:54:35 +00:00 -- Posting to https://smi-test.myserver.net/TestMVC/

在浏览器中,内容为空,但标题为:'提交此表单' 浏览器的网址是:

  https://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DIxrlCyPTeXy89E1BwspOh64Hu66D0vrJ5T3y8FwdzpWIKQQZY..... 

UPDATE2 检查提交表单,看起来内容安全策略阻止了脚本

页面https://smi-test.myserver.net/STSv3/connect/authorize加载脚本

<script src="http://smi-test.myserver.net/STSv3/assets/app.FormPostResponse.js"></script>

如何将其更改为https?

Larsi

1 个答案:

答案 0 :(得分:0)

设置此属性时问题已解决:

PublicOrigin

有关此问题的更多信息,请参阅this issue