使用两个应用程序时,Azure AD身份验证重定向循环(cookie错误)

时间:2019-07-10 15:53:27

标签: c# azure asp.net-core azure-authentication

我有两个由Azure AD保护的asp.net核心Web应用程序(使用相同的应用程序注册ID)。如果我登录其中一个,则身份验证流程会中断另一方的身份验证,但不会相反。

我认为这与身份验证cookie有关,并且Admin应用选择了为Portal应用创建的一个。如果这个假设是正确的,我如何确保这些应用程序不使用彼此的cookie?

设置

测试用例 

OK : Load Admin and log in
OK : Load Portal and log in
NOK: Load the Portal and log in, navigate to Admin (auth loop)         
NOK: Load Admin and log in,
        navigate to Portal (credentials not requested, reusing the cookie i guess), 
        reload Admin (auth loop)

管理应用程序报告以下错误,并创建身份验证重定向循环。      Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:信息:未对Cookie进行身份验证。失败消息:取消保护票证失败

门户网站应用程序的Startup.cs 

public class Startup
{
    public Startup( IConfiguration configuration )
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices( IServiceCollection services )
    {
        services.AddAuthentication( o =>
            {
                o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            }
        ).AddOpenIdConnect( o =>
            {
                o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                o.ClientId = "same-for-both-apps";
                o.CallbackPath = "/portal/signin-oidc";
                o.Authority = "https://login.windows.net/common";
                o.TokenValidationParameters = new TokenValidationParameters
                {
                    RoleClaimType = ClaimTypes.Role,
                    ValidateIssuer = false,
                };
            }
        ).AddCookie( options =>
            { options.AccessDeniedPath = new PathString( "/Account/AccessDenied" ); } );

        services.AddMvc( o =>
            {
                o.Filters.Add( new AuthorizeFilter(
                                    new AuthorizationPolicyBuilder()
                                    .RequireAuthenticatedUser()
                                    .Build() ) );

            }
        ).SetCompatibilityVersion( CompatibilityVersion.Version_2_2 );
    }

    public void Configure( IApplicationBuilder app, IHostingEnvironment env )
    {
        app.MapWhen( IsTargetingPortal, HandlePortalRequest );

        app.Run( async ctx =>
        {
            await ctx.Response.WriteAsync( "Default: info page" );
        } );
    }

    bool IsTargetingPortal( HttpContext ctx )
    {
        return ctx.Request.Path == "/portal/signin-oidc" ||
               ctx.Request.Path == "/portal" ||
               ctx.Request.Host.Host.StartsWith( "portal." );
    }

    void HandlePortalRequest( IApplicationBuilder builder )
    {
        builder.UseAuthentication();
        builder.UseMvc( routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}" );
        } );
    }
}

管理应用程序的Startup.cs 

public class Startup
{

    public Startup( IConfiguration configuration )
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices( IServiceCollection services )
    {
        services.AddAuthentication( o =>
            {
                o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            } 
        ).AddOpenIdConnect( o =>
            {
                o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                o.ClientId = "same-for-both-apps";                    
                o.Authority = "https://login.windows.net/common";
                o.TokenValidationParameters = new TokenValidationParameters
                {
                    RoleClaimType = ClaimTypes.Role,
                    ValidateIssuer = false,
                };
            } 
        ).AddCookie( options => 
            { options.AccessDeniedPath = new PathString( "/Account/AccessDenied" ); } );

        services.AddMvc( o =>
            {
                o.Filters.Add( new AuthorizeFilter( 
                                    new AuthorizationPolicyBuilder()
                                    .RequireAuthenticatedUser()
                                    .Build() ) );

            } 
        ).SetCompatibilityVersion( CompatibilityVersion.Version_2_2 );
    }

    public void Configure( IApplicationBuilder app, IHostingEnvironment env )
    {
        app.UsePathBase( "/admin" );

        if( env.IsDevelopment() )
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler( "/Error" );
            app.UseHsts();
        }

        app.UseAuthentication();
        app.UseMvc();
    }
}

2 个答案:

答案 0 :(得分:0)

这将是在Azure AD门户中分别注册两个应用程序的问题。这将为您提供一个不同的客户端ID。为每个应用使用不同的客户端ID。

enter image description here

答案 1 :(得分:0)

我通过添加解决了Cookie的混淆

builder.UsePathBase( "/portal" );

到管道的门户分支

private void HandlePortalRequest( IApplicationBuilder builder )
{            
    builder.UsePathBase( "/portal" ); // the fix!

    builder.UseAuthentication();

    builder.UseMvc( routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Portal}/{action=Index}/{id?}" );
    } );
}
相关问题
最新问题