signin-oidc重定向不起作用OpenId Connect

Question

在同意页面之后重定向到signin-oidc时出现问题。在本地我没有问题，我可以登录->同意-> signin-oidc->重定向到登录页面，所有cookie都正确更新没有问题。

但是，当服务器部署在AWS Fargate中时，它不起作用。我不确定这是与中间件相关还是与IS4相关，但是我可以毫无问题地连接到测试IS4服务器https://demo.identityserver.io/。

我正在使用https://github.com/IdentityServer/IdentityServer4.Demo中具有InMemory设置的相同Config和TestUsers。

这是我的IS4服务器上的启动程序：

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<IdentityContext>(options => options.UseNpgsql(Configuration.GetConnectionString("IdentityContext")));
    services.AddDbContext<MultitenancyContext>(options => options.UseNpgsql(Configuration.GetConnectionString("MultitenancyContext")));

    // Add identity services to handle user login
    services.AddIdentity<ApplicationUser, IdentityRole>()
        .AddEntityFrameworkStores<IdentityContext>()
        .AddDefaultTokenProviders();

    if (!HostingEnvironment.IsDevelopment())
    {
        services.AddSingleton<IAmazonS3>(new AmazonS3Client(RegionEndpoint.USEast1));
        services.AddSingleton<IAmazonKeyManagementService>(new AmazonKeyManagementServiceClient(RegionEndpoint.USEast1));
        services.AddDataProtection()
            .SetApplicationName("accunet-web")
            .ProtectKeysWithAwsKms(Configuration.GetSection("DataProtectionKms"))
            .PersistKeysToAwsS3(Configuration.GetSection("DataProtectionS3"));
    }

    services.AddOptions();

    services.AddMvc();

    services.AddTransient<IUnitOfWork, UnitOfWork>();

    services.AddIdentityServer(options =>
    {
        options.Events.RaiseErrorEvents = true;
        options.Events.RaiseFailureEvents = true;
        options.Events.RaiseInformationEvents = true;
        options.Events.RaiseSuccessEvents = true;
    })
        .AddInMemoryApiResources(Config.GetApis())
        .AddInMemoryIdentityResources(Config.GetIdentityResources())
        .AddInMemoryClients(Config.GetClients())
        .AddTestUsers(TestUsers.Users)
        .AddDeveloperSigningCredential(persistKey: false);
}

还有我的测试客户端网站上的启动程序，我已经将它与localhost测试一起部署到了Azure：

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection")));
    services.AddDefaultIdentity<IdentityUser>()
        .AddDefaultUI(UIFramework.Bootstrap4)
        .AddEntityFrameworkStores<ApplicationDbContext>();

    services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookie";
            options.DefaultChallengeScheme = "challenge";
        })
        .AddCookie("Cookie")
        .AddOpenIdConnect("challenge", options =>
        {
            options.Authority = "http://auth.is4server.com";
            options.SignInScheme = "Cookie";
            options.RequireHttpsMetadata = false;
            options.ClientId = "server.hybrid";
            options.ClientSecret = "secret";
            options.ResponseType = "code id_token";
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;
            options.Scope.Add("offline_access");
            options.Scope.Add("profile");
            options.Scope.Add("openid");
        });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

这两个系统在本地运行良好，但是在部署时出现错误：

System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'error_description is null', error_uri: 'error_uri is null'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

我能看到的唯一区别是本地将其重定向到类型为x-www-form-urlencoded的signin-oidc，它可以正常工作。

但是在已解散的IS4服务器上，它使用Type：document重定向，并收到500错误。但是标题仍然具有我需要的所有信息，但是signin-oidc不接受该格式，并且失败。

我正在寻找拥有自己的signin-oidc终结点而不是使用中间件，但是我希望它可以轻松适应客户使用IS4服务器的情况。

由于我一直为此奋斗了几天，因此任何帮助将不胜感激。

这是失败的signin-oidc内容的内容：

常规

Request URL: http://localhost:5002/signin-oidc
Request Method: POST
Status Code: 500 Internal Server Error
Remote Address: [::1]:5002
Referrer Policy: no-referrer

响应标题

Content-Type: text/html; charset=utf-8
Date: Wed, 13 Mar 2019 17:59:10 GMT
Server: Kestrel
Transfer-Encoding: chunked

请求标头

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 1477
Content-Type: application/x-www-form-urlencoded
Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8G7d4NhrgFZAqO8IaG32oQ1zWDYRXeddV8UbbHzWM9_aj1-yBLqDHuKbrfGsEUiG3nPgOUL3zL4of6OK6dse4JkeFEhtK1Av1gwgduIWeT64sBQf3M0infYZFz2zLdZs3trHWd1RYH0vMAl697Q5qQqJYaOAfSELnddZOfhdPxqKJprpDil9o-RqQh5RyWU33IwXilBe1vRKvepkeIxgphoiLYtS_-YjPwCQXB_sBRIuB44FobwUWxFLJKDxA4xYHQlOW8smYTjo0hIZrsZnx0w=N; .AspNetCore.Correlation.challenge.Kia1WjnjAxluHmIXm3J5lO1TOWbzLXjidVC3fXfDmBk=N
Host: localhost:5002
Origin: null
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36

表格数据

code: bebbb3b72584a8270a574804b685e908848cd30b038748e246704a1f7195d8af
id_token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4Y2NmMWYwNDY5MmVmZGQ5Y2NmOTFjMjg5ZDQxNjZlIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTI1MDAwMjcsImV4cCI6MTU1MjUwMDMyNywiaXNzIjoiaHR0cDovL2F1dGguYXNjLWFjY3VuZXQtZGV2LmNvbSIsImF1ZCI6InNlcnZlci5oeWJyaWQiLCJub25jZSI6IjYzNjg4MDk2NzQ3OTUxNDE5OC5ZekV5TkdWa016RXRPVFE0WlMwME9EUXdMVGxtTVRFdFpEWmpZV1JtTkdGak0yUmhZakkyWTJVNVlqRXRNakF5TUMwME1UWTBMVGd5TjJVdFl6WmtPVFZpTkRGa056azQiLCJpYXQiOjE1NTI1MDAwMjcsImNfaGFzaCI6ImI2UEJ2YVcxa0FCOThBODBpcUFnRWciLCJzaWQiOiI0NDE4NmEwNjM2YmExNzRkNzNiMmM3MjE0NmMwZmMyNCIsInN1YiI6IjExIiwiYXV0aF90aW1lIjoxNTUyNDk3NDQzLCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.CEwEzplnC6GvwLF72yHrAdzrFqHqoq7NPiBffRTf6srS9hxcSbECDlCHaPekyfv9LaJnpZDarEeD0qjFFs60W_qELJ81qCB05QRHQndjNDu4YZNrWWNNgK6mwceLxYINNWRcqOdW-DAsI3pbmjqqzxKnsazbYZIShPYas40jtLrDvAS43xiVyJZWqBPphNR0NClILnJ0wo34oxVYqvSjSufAioDcP__U8TH1zL8Ez2nKRfS0qj6teb7OQc0qNVEiLJL8sbM6eO1ln-ulPI2HzFT_Xzkm4yHQ-V6GUjAi3HCCkOxUupX1LaXvkwj5M-vylqVwGfc_b4JPPPfjT3CUsA
scope: openid profile offline_access
state: CfDJ8G7d4NhrgFZAqO8IaG32oQ35X6s219phcUFCU9tTimiQIQMM5oEBUb9ijqcalKyYW4lqefyLTRS4PbTEntIbW9xcxTFg3dKW207iiuKRmHt9ISy_zz8O-6s0WL8bzuBaR7_-OLg7GWwHjFOa_Zhfx2rgxRSkGKkKqnazO55bbD5P__uXVkVq0PzAAeoeMznrfVb5kWBesgBfMMcbpXB7Po2A3R3bGbNvWh8wyn11WwgfCiFjl0TKUhGFK42roCf_tgebjSSmqyi3cO5a8BpXgNJ1fFFxayBA-IEYygfshrgDgoku29N8ObdqhL9rFaclOQ
session_state: NKnJ4GLxoBOycoDpZKwW6IJbND8udT6kmYbcrEI_r84.9efa5be47c4261b4abc22ff4d54d0d6a

Answer 1

该问题与AWS中的负载均衡器有关。由于我为LB使用了安全的公共域，因此它使用HTTPS，但在内部使用HTTP。这种重定向导致发现文档具有HTTP。

将PublicOrigin设置为HTTPS地址可以防止重定向并解决问题。