DotNetOpenAuth RP在SSL设备后面失败

时间:2010-07-09 01:06:09

标签: ssl dotnetopenauth

我无法在SSL设备后面运行DNOA RP(终止客户端HTTPS连接并将HTTP反向代理到其后面的Web服务器)。

问题是RP错误地从传入请求中猜测收件人端点(因为它在到达Web服务器时不是 HTTPS)并且将端点与return_to url上的scheme进行比较(其中 HTTPS) - 它在下面的堆栈跟踪失败。我已经在代码中花了一些时间,如果没有自定义构建或非平凡的子类,我没有看到改变这种行为的方法。我已经将Realm和ReturnToUrl的HTTPS版本传递给OpenIdRelyingParty.CreateRequests() - 该部分工作正常。

是否可以将检测到的收件人方案捏造为HTTPS或跳过股票DNOA版本的方案比较,或者我明天是否修补自定义版本?

堆栈跟踪:

ERROR DotNetOpenAuth.Messaging - 09 Jul 2010 00:11:39,450 - Protocol error: The openid.return_to parameter (https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX) does not match the actual URL (http://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=XXX&openid.response_nonce=XXX&openid.return_to=https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.assoc_handle=XXX&openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle&openid.sig=XXX&openid.identity=XXX&openid.claimed_id=XXX) the request was made with.
 at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args)
 at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.VerifyReturnToMatchesRecipient()
 at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.EnsureValidMessage()
 at DotNetOpenAuth.Messaging.MessageSerializer.Deserialize(IDictionary`2 fields, MessageDictionary messageDictionary)
 at DotNetOpenAuth.Messaging.Reflection.MessageDictionary.Deserialize(IDictionary`2 fields)
 at DotNetOpenAuth.Messaging.Channel.Receive(Dictionary`2 fields, MessageReceivingEndpoint recipient)
 at DotNetOpenAuth.Messaging.Channel.ReadFromRequestCore(HttpRequestInfo request)
 at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest)
 at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo)
 at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse()

1 个答案:

答案 0 :(得分:9)

DotNetOpenAuth在将这些特殊HTTP标头添加到转发的HTTP请求时,内置了对SSL设备的支持:X_FORWARDED_PROTO和/或HTTP_HOST。当存在这些时,面向外部的URL的自动检测是正确的。如果您可以配置SSL设备来执行此操作,那么这可能是最佳选择。

另一种方法是调用OpenIdRelyingParty.GetResponse(HttpRequestInfo)而不是不带参数的重载。您可以使用您知道的真实URL来构建HttpRequestInfo。然后DotNetOpenAuth中的URL匹配逻辑不会使请求失败。

相关问题
最新问题