CORB OpenID Connect /连接/授权端点(Identity Server 4)

时间:2019-01-23 15:51:20

标签: asp.net-core identityserver4 openid-connect

我目前遇到一个奇怪的问题。我们正在托管一个使用Identity Server 4作为联合网关的ASP.CORE 2.1应用程序。

首先使用Chrome浏览到该网站是空的-在控制台中只留下一个小提示,即CORB阻止了某些内容。

enter image description here

调查小提琴手,似乎是在阻止发回应用程序 / signin-oidc 中间件的“隐藏”表单。

Fiddler showing response from identity server

但是奇怪的是,刷新后一切正常,并且CORB不再是问题。查看提琴手中相应的“良好”响应,相同的标头是相同的。

我可以验证来自Identity Server的form_post没有到达提琴手中的应用程序,调试OpenID事件和每个请求,然后得到nada。

app.Use(async (context, next) =>
        {
            if (!context.User.Identity.IsAuthenticated)
            {
                   // look to see if bearer is present instead of cookies
                    string auth = context.Request.Headers["Authorization"];
                    if (string.IsNullOrEmpty(auth) || !auth.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
                    {
                       // request needs to be authenticated
                        await context.ChallengeAsync();
                    }
                    else
                    {
                        await next();
                    }
            }
            else
            {
                // all is good, continue
                await next();
            }
        });

CORB为什么阻止初始请求?这可能是浏览器导航还是刷新行为?

这是客户端配置,其中包含我正在调试的事件:

services.AddAuthentication(opts =>
            {
                opts.DefaultChallengeScheme = "oidce";
                opts.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
                .AddCookie(opts =>
                {
                    opts.SessionStore = new MemoryCacheTicketRepository();
                    opts.ExpireTimeSpan = TimeSpan.FromHours(2);
                })
                .AddIdentityServerAuthentication("Bearer", opts =>
                {
                    ...
                })
                .AddOpenIdConnect("oidce", opts =>
                {
                    ...
                    opts.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents()
                    {
                        OnAuthenticationFailed = async p =>
                        {
                            var test = p;
                        },
                        OnAuthorizationCodeReceived = async p =>
                        {
                            var test = p;
                        },
                        OnMessageReceived = async p =>
                        {
                            var test = p;
                        },
                        OnRemoteFailure = async p =>
                        {
                            var test = p;
                        },
                        OnTicketReceived = async p =>
                        {
                            var test = p;
                        },
                        OnTokenResponseReceived = async p =>
                        {
                            var test = p;
                        },
                        OnTokenValidated = async p =>
                        {
                            var test = p;
                        }

                    };
                });

由于响应的好坏之间没有相同的标头,所以我猜测'Access-Control-Allow-Headers''Content-Type'并不是问题。会是什么?

1 个答案:

答案 0 :(得分:0)

在Vidmantas Blazevicius的评论之后,我尝试添加CSPS标头,并且它确实有效。

小问题,首先,我在为SPA提供服务的ASP CORE应用程序中应用了标头。

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy",
                                "default-src 'self' https://localhost:5000; script-src 'unsafe-eval'; script-src-elem 'unsafe-inline';");
        if (!context.User.Identity.IsAuthenticated)
        {
                // look to see if bearer is present instead of cookies
            string auth = context.Request.Headers["Authorization"];
            if (string.IsNullOrEmpty(auth) || !auth.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
                {
                   // request needs to be authenticated
                    await context.ChallengeAsync();
                }
                else
                {
                    await next();
                }
        }
        else
        {
            // all is good, continue
            await next();
        }
    });

这似乎并没有解决问题,所以我尝试将其添加到该应用程序正在服务的index.html中。

<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://localhost:5000; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;">

到目前为止,它似乎确实有效。

相关问题
最新问题