我一直在开发多个应用程序,这些应用程序使用Identity Server 4(IDS4)进行OIDC身份验证。一切正常,直到我使用SSL卸载将应用程序置于代理之后。
目标是能够访问一个站点。当您请求登录时,应该将您重定向到IDS4验证您,然后将您发送回去。这是标准的。
真正发生的事情。 403错误:
An unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Stack Query Cookies Headers
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
Show raw exception details
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Show raw exception details
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeResultAsync(IActionResult result)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAlwaysRunResultFilters()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
出于好奇,我关闭了IDS应用程序,并尝试通过其他应用程序之一访问它,并获得了完全相同的错误响应。这使我相信,这与使用openidc或IIS设置时应用程序中的代码有关。
注意事项: 我正在使用IIS。 我的代理站点上有受信任的CA证书。 假设IDS正在运行,我可以在浏览器中访问“ https://ids.com/.well-known/openid-configuration”。您不会,这是一个假域名。
我尝试过的事情:
尝试从以下位置切换RequireHttpsMetadata 从假到真,
app.UseForwardedHeaders();
好的,我在这里肯定是错的,但是我认为问题是我的应用程序(使用OIDC时)没有发送SSL信息,从而阻止了他们访问“ https://ids.com/.well-know”地址。
我应该从哪里开始尝试?
我的一些启动代码:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.RequireHeaderSymmetry = false;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
.AddOpenIdConnect(AuthorizationConsts.OidcAuthenticationScheme, options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://ids.com";
options.RequireHttpsMetadata = true;
options.ClientId = AuthorizationConsts.OidcClientId;
options.Scope.Clear();
options.Scope.Add(AuthorizationConsts.ScopeOpenId);
options.Scope.Add(AuthorizationConsts.ScopeProfile);
options.Scope.Add(AuthorizationConsts.ScopeEmail);
options.Scope.Add(AuthorizationConsts.ScopeRoles);
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
options.Events = new OpenIdConnectEvents
{
OnMessageReceived = OnMessageReceived,
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider
};
});
..............
app.Use(async (Context, next) =>
{
if (!string.IsNullOrEmpty(Context.Request.Headers["X-ARR-SSL"]))
{
Context.Request.Scheme = "https";
await next.Invoke();
}
else
{
Context.Request.Scheme = "http";
await next.Invoke();
}
});
app.UseForwardedHeaders();
// Ensures we can serve static-files that should not be processed by ASP.NET
app.UseStaticFiles();
// Enable the authentication middleware so we can protect access to controllers and/or actions
app.UseAuthentication();
答案 0 :(得分:0)
我终于解决了这个问题。我知道它与证书有关,但是我不确定该怎么做。
我的解决方法是将options.BackchannelHttpHandler添加到
private readonly HttpClientHandler _handler;
public Startup(IHostingEnvironment env, IConfiguration config,
ILoggerFactory loggerFactory)
{
_env = env;
_config = config;
_loggerFactory = loggerFactory;
Configuration = config;
_handler = new HttpClientHandler();
_handler.ClientCertificates.Add(FindClientCertificate());//same x509cert2 that proxy server uses
_handler.AllowAutoRedirect = true;
}
.....
AddOpenIdConnect( scheme, options => {
....
options.BackchannelHttpHandler = _handler;
...
}
答案 1 :(得分:0)
对我来说,添加该问题即可解决
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
答案 2 :(得分:0)
花了一个不眠之夜来解决这个问题。下面的代码解决了我的问题。
服务 .AddIdentityServer(选项=> {
options.IssuerUri = <Authority Url>; //<== Added this one
options.Events.RaiseSuccessEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseErrorEvents = true;
})