我们有一台运行IdentityServer4的计算机,它本身用作Office 365的联合网关。
我正在试图弄清楚如何规避这种情况:我们创建了一个具有以下owin-startup类的MVC应用程序:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromMinutes(1),
SlidingExpiration = false
});
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
SignInAsAuthenticationType = "Cookies",
Authority = "https://localhost:5000/",
ClientId = "dev",
RedirectUri = "http://localhost:54509/",
ResponseType = "id_token token",
Scope = "openid profile account",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var claims_to_exclude = new[]
{
"aud", "iss", "nbf", "exp", "nonce", "iat", "at_hash"
};
var claims_to_keep =
n.AuthenticationTicket.Identity.Claims
.Where(x => false == claims_to_exclude.Contains(x.Type)).ToList();
claims_to_keep.Add(new Claim("id_token", n.ProtocolMessage.IdToken));
var ci = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
"name", "role");
ci.AddClaims(claims_to_keep);
n.AuthenticationTicket = new AuthenticationTicket(
ci, n.AuthenticationTicket.Properties
);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var id_token = n.OwinContext.Authentication.User.FindFirst("id_token")?.Value;
n.ProtocolMessage.IdTokenHint = id_token;
}
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
到目前为止一切顺利:第一次访问时,用户被重定向到Identity Server,登录并返回,但是当他们丢失令牌或未经身份验证并尝试访问装饰有[授权]的控制器时,登录站点将返回给该控制器。
我们是否使用错误的流程进行此反向通道,服务器到服务器的通信?或者有没有办法拦截这个,以便在控制器因获取HTML而不是JSON而感到恐惧之前立即重定向它们。