asp.net核心站点位于代理后面：Azure B2C登录导致关联失败

Question

我有一个使用Azure B2C登录的Web应用程序。当我在本地运行站点时，配置设置为登录Azure B2C租户，一切正常。

然后，我将站点部署到Azure，在FrontDoor代理/负载平衡配置的后面有两个webapp。我也使用流量管理器尝试过同样的方法。

当我单击“登录”链接时，该链接应将我重定向到“登录B2C”页面，而是重定向回我的网站并在网页上显示错误：关联失败。

假设我在前门配置中有两个Web应用程序，称为：

• mywebapp-eastus
• mywebapp-westus

，并假定公共域名为https://www.mywebapp.com

当我要求登录时，在signin-oidc请求的响应标头中，我看到的是：

set-cookie: ARRAffinity=335ad67894a0a02a521f095924a8d7be4f7829a49d21743b7dd9ec8ce66879d7;Path=/;HttpOnly;Domain=mywebapp-eastus.azurewebsites.net

其中 mywebapp-eastus 实际上是一个单独的Web应用程序名称。我本来希望在这里看到公共领域，而不是我连接到的单个Web应用。

从此Chrome开发工具屏幕截图可以看出，重定向发生后，signin-oidc会导致错误：

我希望看到的是：     ARRAffinity = 335ad67894a0a02a521f095924a8d7be4f7829a49d21743b7dd9ec8ce66879d7; Path = /; HttpOnly; Domain = www.mywebapp.com

我不知道这是否是导致错误的根本原因。

这是设置身份验证和cookie的代码：

            services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        services.Configure<ApiBehaviorOptions>(options =>
        {
            options.InvalidModelStateResponseFactory = ctx => new ValidationProblemDetailsResult();
        });

            services.AddAuthentication(sharedOptions =>
            {
                sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddAzureAdB2C(options => Configuration.Bind(AppSettings.AzureB2CSettings, options))
            .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
                options.SlidingExpiration = true;
                options.Cookie.HttpOnly = false;
                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
            });

更新

我添加了x-forward-proto选项，但效果不明显：

        var forwardingOptions = new ForwardedHeadersOptions()
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        };
        forwardingOptions.KnownNetworks.Clear(); 
        forwardingOptions.KnownProxies.Clear();
        app.UseForwardedHeaders(forwardingOptions);

我以为我在这里发现了一个相关问题：x-forwarded-proto-not-working

您知道如何解决此问题吗？我可以设置哪些选项，以便将公共域正确地填充到响应头中。

该网络应用在linux上运行asp.netcore 2.2（用于容器的网络应用）。

更新2：

我已将日志记录添加到该站点。它表明存在一个潜在错误：未找到Cookie 和关联失败

  

信息{Protocol =“ HTTP / 1.1”，Method =“ POST”，ContentType =“ application / x-www-form-urlencoded”，ContentLength = 722，Scheme =“ http”，Host =“ webapp-eastus。 azurewebsites.net“，PathBase =”“，Path =” / signin-oidc“，QueryString =”“，EventId = {Id = 1}，SourceContext =” Microsoft.AspNetCore.Hosting.Internal.WebHost“，RequestId =” 0HLKC8D934664 ：00000001“，RequestPath =” / signin-oidc“，CorrelationId = null，ConnectionId =” 0HLKC8D934664“}”请求启动HTTP / 1.1 POST http://webapp-eastus.azurewebsites.net/signin-oidc application / x-www-form-urlencoded 722“   调试{EventId = {Id = 1}，SourceContext =“ Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin-oidc”，CorrelationId = null，ConnectionId =“ 0HLKC8D934664”}请求不安全。跳过HSTS标头。   调试{EventId = {Id = 1}，SourceContext =“ Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin-oidc”，CorrelationId = null，ConnectionId =“ 0HLKC8D934664”}“不支持“ POST”请求   调试{EventId = {Id = 25，Name =“ RequestBodyStart”“，SourceContext =” Microsoft.AspNetCore.Server.Kestrel“，RequestId =” 0HLKC8D934664：00000001“，RequestPath =” / signin-oidc“，CorrelationId = null}连接id“” 0HLKC8D934664“”，请求id“” 0HLKC8D934664：00000001“”：开始读取请求正文。   调试{EventId = {Id = 26，Name =“ RequestBodyDone”}，SourceContext =“ Microsoft.AspNetCore.Server.Kestrel”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin-oidc”，CorrelationId = null}连接id“” 0HLKC8D934664“”，请求id“” 0HLKC8D934664：00000001“”：已完成读取请求正文。   [40m [1m [33mwarn [39m [22m [49m：Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler [15]         找不到'.AspNetCore.Correlation.OpenIdConnect.2KB8HPHJV3KhB2HCDp3C3b5iPXjcdAQLOrz5-6nGnwY'Cookie。   警告{EventId = {Id = 15}，SourceContext =“ Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin-oidc”，CorrelationId = null，ConnectionId =“ 0HLKC8D934664” }'“ .AspNetCore.Correlation.OpenIdConnect.2KB8HPHJV3KhB2HCDp3C3b5iPXjcdAQLOrz5-6nGnwY”“ 未找到Cookie 。   信息{EventId = {Id = 4}，SourceContext =“ Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin-oidc”，CorrelationId = null，ConnectionId =“ 0HLKC8D934664” }来自RemoteAuthentication的错误：“ 关联失败。”。   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ User-Agent”：[“ Edge Health Probe”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X客户端IP”：[“ 1.1.1.1”]   信息{ElapsedMilliseconds = 12.3269，StatusCode = 302，ContentType = null，EventId = {Id = 2}，SourceContext =“ Microsoft.AspNetCore.Hosting.Internal.WebHost”，RequestId =“ 0HLKC8D934664：00000001”，RequestPath =“ / signin- oidc“，CorrelationId = null，ConnectionId =” 0HLKC8D934664“}”请求在12.3269ms内完成302“   调试{EventId = {Id = 6，Name =“ ConnectionReadFin”“，SourceContext =” Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets“}连接ID”“ 0HLKC8D934664”“收到FIN。   调试{EventId = {Id = 7，Name =“ ConnectionWriteFin”“，SourceContext =” Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets“}连接ID”“ 0HLKC8D934664”“发送FIN，因为：”“客户端关闭了连接。”   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X客户端端口”：[“ 63761”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X-FD-HealthProbe”：[“ 1”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X-WAWS-Unencoded-URL”：[“ /”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标头：“ CLIENT-IP”：[“ 1.1.1.1:63761”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X-ARR-LOG-ID”：[“ 5022cb4d-7c63- 4a78-ad11-c8474246281d“]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ DISGUISED-HOST”：[“ webapp-eastus.azurewebsites.net” ]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X-SITE-DEPLOYMENT-ID”：[“ webapp-eastus” ]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ WAS-DEFAULT-HOSTNAME”：[“ webapp-eastus.azurewebsites。净”]   调试{SourceContext =“ AppBuilderExtensions”，RequestId =“ 0HLKC8D934663：00000001”，RequestPath =“ /”，CorrelationId = null，ConnectionId =“ 0HLKC8D934663”}标题：“ X原始URL”：[“ /”]   调试{EventId = {Id = 10，Name =“ ConnectionDisconnect”}，SourceContext =“ Microsoft.AspNetCore.Server.Kestrel”}连接ID“” 0HLKC8D934664“”断开连接。   调试{EventId = {Id = 2，Name =“ ConnectionStop”}，SourceContext =“ Microsoft.AspNetCore.Server.Kestrel”}连接ID“” 0HLKC8D934664“”已停止。

请注意，我的粘性会话已在FrontDoor配置上激活。我还尝试在登录期间停止其中一个Web应用程序，以查看效果如何。相同的行为。因此，我认为这不是与DataProtection相关的问题。

更新3

我想我可能已经找到了潜在的问题。我发现此错误：

  

AADB2C90006：请求中提供的重定向URI'https://webapp-eastus.azurewebsites.net/signin-oidc'未为客户端ID'zzzzzzz-2121-4158-b0f8-9d164c95000'注册。   相关ID：xxxxxxxxx-xxxxxxxxx-xxxxxxx-xxxxxxx

当我在请求中查找X-Forwarded *标头时，我发现它们丢失了。即使我有一段看起来像这样的代码：

            services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
        });

在ConfigureServices中，在Startup.cs中

在Configure（）中，我有这个：

    public void Configure(IApplicationBuilder app)
    {
        app.UseForwardedHeaders();

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();

        app.Use((context, next) =>
        {
            context.Request.Scheme = "https";
            return next();
        });

        app.UseSession();

        app.UseAuthentication();
        app.LogAuthenticationRequests(_loggerFactory);

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

现在的问题是，为什么请求中会缺少X-Forwarded- *标头？