我有一个 Asp .net 核心 MVC 应用程序。它连接到 Identity Server 4 以进行身份验证。托管在 docker swarm
MVC 应用托管在 https://XXXXXXX
配置服务
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
//options.DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"C:\temp-keys\"));
// when the identity has been created from the data we receive,
// persist it with this authentication scheme, hence in a cookie
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// Identity server endpoint
options.Authority = settingsSetup.IdentityServerEndpoint;
// Client id to login with
options.ClientId = settingsSetup.ClientId;
// Client secret.
options.ClientSecret = settingsSetup.Secret;
// Scope of our API
options.Scope.Add("testapi");
options.Scope.Add("devconsole");
// adding offline_access to get a refresh token
options.Scope.Add("offline_access");
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
当我尝试运行该应用程序时,出现重定向 uri 未匹配错误。
Invalid redirect_uri: http://developerconsole.XXXXX.io/signin-oidc
{
"ClientId": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz",
"ClientName": "Developer Console",
"AllowedRedirectUris": [
"http://localhost:55000/signin-oidc",
"http://localhost:55000/auth.html",
"http://localhost:55000/auth-silent.html"
"https://developerconsole.XXXXX.io/signin-oidc"
],
"SubjectId": "21379983",
"RequestedScopes": "",
"Raw": {
"client_id": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz",
"redirect_uri": "http://developerconsole.XXXXX.io/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile testapi devconsole offline_access",
"response_mode": "form_post",
"nonce": "636625889658410682.MjNlMmQwNjgtZmY0MC00MmVkLWFiNmMtN2M2YmQ5YTM5ZTQ3NjFiYzI2ZjktZWM0Yi00NDk3LTk1ZWMtNjJkYjViMDYwMTJm",
"state": "CfDJ8Pwa8A3ipXlKtuyxNMpMxAz5QUFmdSunRKdlKS9sS390AKp8gIUZShQUMMCkFAhYLytitgsXUBgwlQDJaJvtHFqzHygLCPwS8Jab6IJzhpry90qS51E1y_eRlppamRDOzYDZ6fcDFzWV1U43BTP2B6pnPTSLNcZRaooyGBXtNokeUqOJ--u-_MOQB8Bw3n2cRyV4kisHNkslD1Gsi2wn1Cx6aTVlqzw_pxHelAXm1P8FyDJpD7G0azFgKgpQF0DRJtC5penRJQzHIHvQN8v4ECGeuSD1zlyfJYClLO2r6kY_R2OYqtBkV0r_SNc9h7xUYmnVaHKQzYqVc_mJO4iLLSMTZrBUICZWR8c4PZw0Os3N",
"x-client-SKU": "ID_NET",
"x-client-ver": "2.1.4.0"
}
}
错误来了,因为我有
"https://developerconsole.XXXXX.io/signin-oidc"
作为重定向 uri 而不是 "http://developerconsole.XXXXX.io/signin-oidc"
我不想添加 HTTP 重定向 uri。
为什么我的应用程序构建的重定向 uri 具有 http 而不是 https?
如果我确实添加了 HTTP,我会收到一个恼人的关联错误。我认为这是因为它被服务器作为 https 返回,因为服务器自动将 http 转换为 https。
处理请求时发生未处理的异常。 异常:关联失败。 Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()
Stack Query Cookies Headers 异常:关联失败。 Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()
我可能不需要提及这在本地主机上运行良好:/
解决方案非常简单。通过设置 UseForwardedHeaders,它现在将所有请求作为 HTTPS 发送。
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
关联失败。
现在已修复,我不再需要 http 和 https 重定向 uris。
Ubuntu 18、Nginx、.NetCore 3.1 它的工作方式如下:
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.All
});
/etc/nginx/nginx.conf
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
/etc/nginx/sites-enabled/default
或您的网络配置文件
location / {
# under your configuration
proxy_set_header X-Forwarded-Proto $scheme;
}
然后它开始重定向到 https,没有 nginx 配置我得到错误 503.
ASP.NET 核心文档说如果转发的标头不起作用添加这个中间件
app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next(context);
});
请参阅场景和用户案例部分 - https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0
ASP.NET Core 6 添加了一个更简单的方法来为非 IIS 场景实现这一点,在这些场景中,TLS 在到达已部署的 Web 应用程序之前被终止:
要在非IIS场景下从代理转发方案,启用 通过设置 [环境变量] 转发标头中间件
到ASPNETCORE_FORWARDEDHEADERS_ENABLED
.true
设置此变量解决了我在 Azure 容器应用程序中运行的 Docker 应用程序的问题,无需对 Program.cs 进行任何更改。
仅将此代码添加到您的 web.config 文件,当然还有 change.com 和您的网站,任何人在浏览器中输入 URL 直接将 URI 从 HTTP 重定向到 HTTPS。
<system.webServer>
<rewrite>
<rules>
<rule name="IP Hit" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="http://www.exemple.com" />
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.exemple.com/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<urlCompression doDynamicCompression="true" doStaticCompression="true" dynamicCompressionBeforeCache="true" />
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365:00:00" />
</staticContent>
<system.webServer>