当通过CORS调用时,为什么User.Identity.IsAuthenticated == false

时间:2017-12-09 18:07:12

标签: cookies cors asp.net-core-2.0 fetch-api

为什么在通过CORS调用时User.Identity.IsAuthenticated == false,但在通过同一域调用时为true?

我有一个支持CORS的asp.net core 2 cookieauth应用程序。

我打电话的时候;

  

api / Identity / establish-session

AUTHCOOKIE在两个中都被删除了 CORS和本地ajax电话。
相反,当我打电话

  

api / Identity / sign-out

AUTHCOOKIE被删除。到目前为止一切都很好。

成功建立会话后,我打电话给以下人员;

  

api / Identity / check-authentication

通过CORS调用时,

User.Identity.IsAuthenticated == false,但是当从同一域调用时,User.Identity.IsAuthenticated == true。
我不知道这是因为我在javascript中如何调用它,或者我在asp.net应用程序上配置了错误。我以为我必须拥有凭据:'包含'在我的提取电话中设置?

[Produces("application/json")]
[Route("api/Identity")]
public class IdentityController : Controller
{
    [HttpPost]
    [AllowAnonymous]
    [Route("establish-session")]
    public async Task EstablishAuthenticatedSession(string username, string password)
    {

        var properties = new AuthenticationProperties
        {
            IsPersistent = true,
            ExpiresUtc = DateTime.UtcNow.AddHours(1)
        };

        var claims = new[] {new Claim("name", username), new Claim(ClaimTypes.Role, "User")};
        var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
        await
            HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
                new ClaimsPrincipal(identity),
                properties);
    }

    [HttpGet]
    [AllowAnonymous]
    [Route("sign-out")]
    public async Task Logout()
    {
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    }
    [HttpGet]
    [AllowAnonymous]
    [Route("check-authentication")]
    public async Task<bool> CheckAuthentication()
    {
        return User.Identity.IsAuthenticated;
    }
}

这是我的javascript片段;

establishAuthenticatedSession(){

            let self = this;
            var model = this.get();
            console.log(model);
            var url = "https://localhost:44310/api/Identity/establish-session?username=herb&password=1234";
            fetch(url,
            {
                credentials: 'include',
                headers: { 'Content-Type': 'text/plain' },
                method: 'POST'
            })
            .then(function (res) {
                console.log(res);
                self.set({ establishSession:{ message:"Success" }});
            }).catch(function(error) {
                self.set({ establishSession:{ message:error.message }});
                console.log('There has been a problem with your fetch operation: ' + error.message);
            });

        },
        signOut(){

            let self = this;
            var model = this.get();
            console.log(model);
            var url = "https://localhost:44310/api/Identity/sign-out";
            fetch(url,
            {
                credentials: 'include',
                headers: { 'Content-Type': 'text/plain' },
                method: 'GET'
            })
            .then(function (res) {
                console.log(res);
                self.set({ signoutResult:{ message:"Success" }});
            }).catch(function(error) {
                self.set({ signoutResult:{ message:error.message }});
                console.log('There has been a problem with your fetch operation: ' + error.message);
            });

        },
        checkAuthenticatedSession(){
            let self = this;
            var model = this.get();
            console.log(model);
            var url = "https://localhost:44310/api/Identity/check-authentication";
            fetch(url,
            {
                credentials: 'include',
                method: 'GET',
                headers: { 'Content-Type': 'text/plain' }
            })
            .then(res => res.text())
            .then(function (res) {
                console.log(res);
                self.set({ checkAuthenticatedSession:{ message:res }});
            })
            .catch(function(error) {
                self.set({ checkAuthenticatedSession:{ message:error.message }});
                console.log('There has been a problem with your fetch operation: ' + error.message);
            });
        }

这是我的CORS设置;

services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                        .AllowAnyOrigin()
                        .AllowAnyMethod()
                        .AllowAnyHeader()
                        .AllowCredentials());
            });

1 个答案:

答案 0 :(得分:0)

事实证明,cookie需要设置为SameSiteMode.None。我得到的提示是,来自azure的ARRAfinity饼干设置为非,并且它被发送到我的不是。

在我的应用程序中,我必须将其设置如下;

public class Startup
{
    ...

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        ...           

        services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                // sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(
                CookieAuthenticationDefaults.AuthenticationScheme,
                options =>
                {
                    options.LoginPath = "/Account/LogIn"; ;
                    options.AccessDeniedPath = new PathString("/account/login");
                    options.Cookie.Name = "AUTHCOOKIE";
                    options.ExpireTimeSpan = new TimeSpan(365, 0, 0, 0);
                    options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
                    options.Cookie.SameSite = SameSiteMode.None;

                }
            );
        ...
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        ...
        var cookiePolicyOptions = new CookiePolicyOptions
        {
            Secure = CookieSecurePolicy.SameAsRequest,
            MinimumSameSitePolicy = SameSiteMode.None
        };

        app.UseCookiePolicy(cookiePolicyOptions);
        ...
    }
}