我设置了一个非常简单的ASP.NET MVC 5应用程序,该应用程序尝试通过授权代码模式下的OpenID提供程序对用户进行身份验证。
我能够登录,服务器在重定向URL查询字符串和现时cookie中返回一个代码。但是,在客户端应用程序上,用户未通过身份验证(User.Identity.IsAuthenticated
否),没有声明并且被称为控制器的拥有Authorize
属性的操作将永远不会执行。浏览器停留在主页的重定向URL页面上。
我认为在执行OpenID Connect中间件期间会发生一些事情,这会使它停止到一半,但无法完全弄清楚如何对其进行调试。
即使在“所有CLR异常都中断”模式下也不会引发异常。
在详细级别将EventListener连接到IdentityModelEventSource.Logger
时,每次身份验证尝试一次,我只会收到一个记录的事件,该事件记录为“为openIdConnect消息生成随机数” 。
除Notification
外,没有到达RedirectToIdentityProvider
挂钩,因此看起来好像没有收到授权码或安全令牌,但是认证也不会失败。
如何获取有关发生的情况的更多信息,以便我可以调试问题?
代码如下:
public void Configuration(IAppBuilder app)
{
var clientSecret = "secret";
var authenticationOptions = new OpenIdConnectAuthenticationOptions
{
ClientId = "id",
ClientSecret = clientSecret,
Authority = "https://theauthority",
RedirectUri = "https://localhost/MyApp/",
};
authenticationOptions.ResponseType = OpenIdConnectResponseType.Code; // Authorization code
authenticationOptions.TokenValidationParameters.IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(clientSecret));
authenticationOptions.TokenValidationParameters.RequireSignedTokens = true;
authenticationOptions.TokenValidationParameters.ValidAudience = "katanaclient";
authenticationOptions.SignInAsAuthenticationType = "Cookies";
authenticationOptions.Configuration = new OpenIdConnectConfiguration
{
Issuer = "https://theissuer",
AuthorizationEndpoint = "https://theendpoint",
TokenEndpoint = "https://theendpoint/api/v1/token",
UserInfoEndpoint = "https://theendpoint/api/v1/userinfo",
EndSessionEndpoint = "https://theendpoint/api/v1/logout",
ScopesSupported = { "openid", "profile"},
};
authenticationOptions.Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = async n =>
{
// here it goes
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
{
n.ProtocolMessage.EnableTelemetryParameters = false;
}
},
AuthorizationCodeReceived = async notification =>
{
// doesn't go through here
Debug.WriteLine($"{notification.Response.Body}");
},
SecurityTokenReceived = async notification =>
{
// doesn't go through here
Debug.WriteLine($"{notification.Response.Body}");
},
AuthenticationFailed = async notification =>
{
// doesn't go through here
Debug.WriteLine($"{notification.Response.Body}");
},
SecurityTokenValidated = async n =>
{
// doesn't go through here
Debug.WriteLine($"{n.Response.Body}");
},
MessageReceived = async notification =>
{
// doesn't go through here
Debug.WriteLine($"{notification.Response.Body}");
}
};
app.UseCookieAuthentication(new CookieAuthenticationOptions()
);
app.UseOpenIdConnectAuthentication(authenticationOptions);
Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger.LogLevel = EventLevel.Verbose;
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
var listener = new EventListener();
listener.EnableEvents(Microsoft.IdentityModel.Logging.IdentityModelEventSource.Logger, EventLevel.LogAlways);
listener.EventWritten += Listener_EventWritten; // Only thing this ever logs is "generating nonce"
}
[编辑]
我发现在带有GetClaimsFromUserInfoEndpoint = true
的ASP.NET Core 项目中,它可以完美地工作。但是可悲的是,旧的Microsoft.Owin.Security.OpenIdConnect
实现中缺少该属性...