背景
因此,我们有一个应用程序服务,可以使用OpenIdConnect在另一个租约中从Azure AD进行身份验证。
登录适用于IIS的开发实例,并且适用于我们的测试应用程序服务。我们在测试中看到了这个问题,它消失了,并且在项目的整个测试阶段都没有返回。
现在我们已经部署到生产环境,并且再次遇到了这个问题。
问题
我们看到的是,一段时间后一切都会正常运行,然后几个小时后,问题又会再次出现。
我们有一种解决方法,用于还原服务-即在azure控制面板中启用然后禁用应用程序服务身份验证。相反的方法也可以-禁用然后启用将还原服务。
代码
public void ConfigureAuth(IAppBuilder app)
{
//Azure AD Configuration
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
//sets client ID, authority, and RedirectUri as obtained from web config
ClientId = clientId,
ClientSecret = appKey,
Authority = authority,
RedirectUri = redirectUrl,
CallbackPath = new PathString("/"), //use this line for production and test
//page that users are redirected to on logout
PostLogoutRedirectUri = redirectUrl,
//scope - the claims that the app will make
Scope = OpenIdConnectScope.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
//setup multi-tennant support here, or set ValidateIssuer = true to config for single tennancy
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
//SaveSigninToken = true
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
}
}
);
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential cred = new ClientCredential(clientId, appKey);
string userObjectId = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
//this token cache is stateful, we're going to populate it here, but we'll store it elsewhere in-case the user ends up accessing a different instance
AuthenticationContext authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectId));
// If you create the redirectUri this way, it will contain a trailing slash.
// Make sure you've registered the same exact Uri in the Azure Portal (including the slash).
Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, cred, "https://graph.windows.net");
//populate the persistent token cache
testdb2Entities5 db = new testdb2Entities5();
PersistentTokenCache tc = await db.PersistentTokenCaches.FindAsync(userObjectId);
//if null, populate a new item
if (tc == null)
{
tc = new PersistentTokenCache();
tc.object_id = userObjectId;
tc.token = code;
db.PersistentTokenCaches.Add(tc);
await db.SaveChangesAsync();
}
else
{
tc.token = code;
await db.SaveChangesAsync();
}
}
//authentication failed notifications
private Task OnAuthenticationFailed(AuthenticationFailedNotification<Microsoft.IdentityModel.Protocols
.OpenIdConnect.OpenIdConnectMessage,
OpenIdConnectAuthenticationOptions> context)
{
context.HandleResponse();
context.Response.Redirect("/?errormessage=" + context.Exception.Message);
return Task.FromResult(0);
}
问题
因此,基于启用和禁用应用程序服务身份验证所做的一切,显然可以暂时解决问题。所以我认为这是一个与Cookie相关的问题-因为那是在会话之间转移状态的唯一方法。这到底是什么问题?我需要采取什么步骤来诊断和解决问题?
答案 0 :(得分:1)
到目前为止,似乎这是Katana中一个已知错误的问题,其中Katana cookie管理器和ASP .NET cookie管理器发生冲突并覆盖彼此的cookie。
以下是一些故障排除方法,您可以参考:
1。设置
app.UseCookieAuthentication(new CookieAuthenticationOptions {CookieSecure == CookieSecureOption.Always})。这意味着cookie可能与您的身份验证一起泄漏。
2。在SystemWebCookieManager Nuget包中的UseCookieAuthentication中添加Microsoft.Owin.Host.SystemWeb。请参阅此thread。
3。Split cookie。有人注意到,如果Cookie字符超过浏览器限制(> 4096),就会出现问题。因此,为解决该问题,请在每个cookie中包含大约4000个字符的set-cookie,并在需要时将所有cookie合并在一起以获取原始值。
有关如何通过Microsoft将登录信息添加到ASP.NET Web应用程序的更多详细信息,请参阅此article。
更新:
使用安装Kentor.OwinCookieSaver nuget包修复并在app.UseKentorOwinCookieSaver();之前添加app.UseCookieAuthentication(new CookieAuthenticationOptions());