我有一个openid客户端代理。 在代理上,我配置了两种方案:
services.AddAuthentication(options =>
{
options.DefaultScheme = "Bearer";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc-app1", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://sts.com";
options.RequireHttpsMetadata = false;
options.ClientId = "app1";
options.SaveTokens = true;
})
.AddOpenIdConnect("oidc-app2", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://sts.com";
options.RequireHttpsMetadata = false;
options.ClientId = "app2";
options.SaveTokens = true;
});
这些方案仅在ClientIds中有所不同:app1和app2。
我的客户根据请求选择方案:
string clientId = GetClientIdFromContext(context);
string schema = $"oidc-{clientId}";
var userResult = context.AuthenticateAsync(schema);
var user = userResult.Result.Principal;
// Not authenticated
if (user == null || !user.Identities.Any(identity => identity.IsAuthenticated))
{
return context.ChallengeAsync(schema);
}
else
{
return next();
}
对方案“ app1”的身份验证成功。
当我对方案“ app2”进行身份验证时: -身份服务器发行令牌 -处理http://proxy/signin-oidc时出现错误“未通过身份验证”
此错误可能来自该代码:
Microsoft.AspNetCore.Authentication \ RemoteAuthenticationHandler.cs:
// The SignInScheme may be shared with multiple providers, make sure this provider issued the identity.
string authenticatedScheme;
var ticket = result.Ticket;
if (ticket != null && ticket.Principal != null && ticket.Properties != null
&& ticket.Properties.Items.TryGetValue(AuthSchemeKey, out authenticatedScheme)
&& string.Equals(Scheme.Name, authenticatedScheme, StringComparison.Ordinal))
{
return AuthenticateResult.Success(new AuthenticationTicket(ticket.Principal,
ticket.Properties, Scheme.Name));
}
return AuthenticateResult.Fail("Not authenticated");
但是我无法调试。
你能帮我吗? 您是否可以解释以下注释:“ SignInScheme可以与多个提供者共享,请确保该提供者发布了身份。”?
感谢帮助 最好的祝福:)
答案 0 :(得分:0)
我找到了答案。在这种情况下,每个提供程序都必须具有不同的回调路径: https://github.com/aspnet/Security/issues/1510