失败的OpenID Connect中间件-如何调试?

时间:2018-11-22 08:33:40

标签: asp.net-mvc owin openid openid-connect katana

我设置了一个非常简单的ASP.NET MVC 5应用程序,该应用程序尝试通过授权代码模式下的OpenID提供程序对用户进行身份验证。

我能够登录,服务器在重定向URL查询字符串和现时cookie中返回一个代码。但是,在客户端应用程序上,用户未通过身份验证(User.Identity.IsAuthenticated否),没有声明并且被称为控制器的拥有Authorize属性的操作将永远不会执行。浏览器停留在主页的重定向URL页面上。

我认为在执行OpenID Connect中间件期间会发生一些事情,这会使它停止到一半,但无法完全弄清楚如何对其进行调试。

  • 即使在“所有CLR异常都中断”模式下也不会引发异常。

  • 在详细级别将EventListener连接到IdentityModelEventSource.Logger时,每次身份验证尝试一次,我只会收到一个记录的事件,该事件记录为“为openIdConnect消息生成随机数”

    >
  • Notification外,没有到达RedirectToIdentityProvider挂钩,因此看起来好像没有收到授权码或安全令牌,但是认证也不会失败。

如何获取有关发生的情况的更多信息,以便我可以调试问题?

代码如下:

        public void Configuration(IAppBuilder app)
        {
            var clientSecret = "secret";
            var authenticationOptions = new OpenIdConnectAuthenticationOptions
            {
                ClientId = "id",
                ClientSecret = clientSecret,
                Authority = "https://theauthority",
                RedirectUri = "https://localhost/MyApp/",
            };

            authenticationOptions.ResponseType = OpenIdConnectResponseType.Code; // Authorization code
            authenticationOptions.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(clientSecret));
            authenticationOptions.TokenValidationParameters.RequireSignedTokens = true;
            authenticationOptions.TokenValidationParameters.ValidAudience = "katanaclient";
            authenticationOptions.SignInAsAuthenticationType = "Cookies";
            authenticationOptions.Configuration = new OpenIdConnectConfiguration
            {
                Issuer = "https://theissuer",
                AuthorizationEndpoint = "https://theendpoint",
                TokenEndpoint = "https://theendpoint/api/v1/token",
                UserInfoEndpoint = "https://theendpoint/api/v1/userinfo",
                EndSessionEndpoint = "https://theendpoint/api/v1/logout",
                ScopesSupported = { "openid", "profile"},
            };

            authenticationOptions.Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = async n =>
                {
                    // here it goes
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        n.ProtocolMessage.EnableTelemetryParameters = false;
                    }
                },
                AuthorizationCodeReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");

                },
                SecurityTokenReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                },
                AuthenticationFailed = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                },
                SecurityTokenValidated = async n =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{n.Response.Body}");
                },
                MessageReceived = async notification =>
                {
                    // doesn't go through here
                    Debug.WriteLine($"{notification.Response.Body}");
                }
            };

            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            );
            app.UseOpenIdConnectAuthentication(authenticationOptions);

            Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger.LogLevel = EventLevel.Verbose;
            Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

            var listener = new EventListener();
            listener.EnableEvents(Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger, EventLevel.LogAlways);
            listener.EventWritten += Listener_EventWritten; // Only thing this ever logs is "generating nonce"
        }

[编辑]

我发现在带有GetClaimsFromUserInfoEndpoint = true的ASP.NET Core 项目中,它可以完美地工作。但是可悲的是,旧的Microsoft.Owin.Security.OpenIdConnect实现中缺少该属性...

0 个答案:

没有答案