Identity Server 3 - 401在Ajax上调用而不是302

时间:2016-01-25 16:39:45

标签: asp.net cookies asp.net-mvc-5 identityserver3

我有一个web api / mvc混合应用程序,我已将其配置为使用cookie身份验证。这适用于应用程序的mvc部分。 web api会强制执行授权,但不会返回401 - Unauthorised,而是返回302 - Found并重定向到登录页面。我宁愿它返回401。我试图挂钩CookieAuthenticationProvider.OnApplyRedirect代表,但似乎没有被调用。我错过了什么?我目前的设置如下:

AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
    ExpireTimeSpan = TimeSpan.FromMinutes(20),
    SlidingExpiration = true,
    CookieHttpOnly = true,
    CookieSecure = CookieSecureOption.Never, //local non ssl-dev only
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx =>
        {
            if (!IsAjaxRequest(ctx.Request))
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }
        }
    }
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = IdentityConfig.Authority,
    ClientId = IdentityConfig.SoftwareClientId,
    Scope = "openid profile roles",
    RedirectUri = IdentityConfig.RedirectUri,
    ResponseType = "id_token",
    SignInAsAuthenticationType = "Cookies"
});

2 个答案:

答案 0 :(得分:10)

在您的示例中,UseOpenIdConnectAuthentication不再对此进行控制,而是Notifications。这涉及使用app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = IdentityConfig.Authority, ClientId = IdentityConfig.SoftwareClientId, Scope = "openid profile roles", RedirectUri = IdentityConfig.RedirectUri, ResponseType = "id_token", SignInAsAuthenticationType = "Cookies", Notifications = new OpenIdConnectAuthenticationNotifications { RedirectToIdentityProvider = notification => { if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest) { if (IsAjaxRequest(notification.Request) && notification.Response.StatusCode == (int)HttpStatusCode.Unauthorized) { notification.Response.StatusCode = (int)HttpStatusCode.Unauthorized; notification.HandleResponse(); return Task.FromResult(0); } } return Task.FromResult(0); } } }); 属性并拦截OpenID Connect身份验证请求。

尝试以下灵感:

public var payFrequency: PayFrequency {
    get { return self["payFrequency"] as? PayFrequency ?? .Weekly }
    set(value) { self["payFrequency"] = value }
}

答案 1 :(得分:0)

在我的情况下,IsAjaxRequest无法解决问题。相反,我依赖到WebAPI的所有路由都在“ / api”下,所以我不是IsAjaxRequest,而是:

RedirectToIdentityProvider =  context => {
    if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication){
        if (context.Request.Path.StartsWithSegments(new PathString("/api")) && context.Response.StatusCode == (int)HttpStatusCode.Unauthorized){
            context.HandleResponse();
            return Task.CompletedTask;
        }
    }
    return Task.CompletedTask;
}
相关问题
最新问题