我一直在开发多个依赖身份服务器4(IDS4)用于使用OIDC进行身份验证的应用程序。一切都很好,直到我使用SSL-Owdloading将应用程序放在代理后面。
目标是能够访问网站。当您要求登录时,应该将您重定向到IDS4验证您,然后将您发送回您。这是标准..
到底发生了什么。403错误:
An unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Stack Query Cookies Headers
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
Show raw exception details
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Show raw exception details
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeResultAsync(IActionResult result)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAlwaysRunResultFilters()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
出于好奇,我关闭了我的IDS应用程序,并试图通过我的其他应用程序之一访问它,并获得了完全相同的错误响应。这使我相信这与使用OpenIDC或IIS设置时的应用程序中的代码有关。
要注意的事情: 我正在使用IIS。 我的代理网站上有一个值得信赖的CA证书。 假设ID正在运行,我可以在我的Broswer中访问" https://ids.com/.well-nown/openid-configuration"。您不会,这是一个假域名。
我尝试过的事情:
OpenIdConnect内部尝试切换requirehttpsmetadata虚假到true,
app.useforwardedheaders();
好吧,我肯定会在这里错,但是我认为问题是我的应用程序(使用OIDC时)没有发送SSL信息,该信息禁止它们无法访问'https://ids.com/.well.well.well.well.well。 - 知道'地址。
我应该从哪里开始尝试使用?
我从启动中的一些代码:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
options.RequireHeaderSymmetry = false;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
.AddOpenIdConnect(AuthorizationConsts.OidcAuthenticationScheme, options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://ids.com";
options.RequireHttpsMetadata = true;
options.ClientId = AuthorizationConsts.OidcClientId;
options.Scope.Clear();
options.Scope.Add(AuthorizationConsts.ScopeOpenId);
options.Scope.Add(AuthorizationConsts.ScopeProfile);
options.Scope.Add(AuthorizationConsts.ScopeEmail);
options.Scope.Add(AuthorizationConsts.ScopeRoles);
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
options.Events = new OpenIdConnectEvents
{
OnMessageReceived = OnMessageReceived,
OnRedirectToIdentityProvider = OnRedirectToIdentityProvider
};
});
..............
app.Use(async (Context, next) =>
{
if (!string.IsNullOrEmpty(Context.Request.Headers["X-ARR-SSL"]))
{
Context.Request.Scheme = "https";
await next.Invoke();
}
else
{
Context.Request.Scheme = "http";
await next.Invoke();
}
});
app.UseForwardedHeaders();
// Ensures we can serve static-files that should not be processed by ASP.NET
app.UseStaticFiles();
// Enable the authentication middleware so we can protect access to controllers and/or actions
app.UseAuthentication();
对我而言,添加
解决了问题ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
我最终解决了这个问题。我知道这与证书有关,但我不确定该怎么办。
我的修复程序是添加了options.backchannelhttphandler
private readonly HttpClientHandler _handler;
public Startup(IHostingEnvironment env, IConfiguration config,
ILoggerFactory loggerFactory)
{
_env = env;
_config = config;
_loggerFactory = loggerFactory;
Configuration = config;
_handler = new HttpClientHandler();
_handler.ClientCertificates.Add(FindClientCertificate());//same x509cert2 that proxy server uses
_handler.AllowAutoRedirect = true;
}
.....
AddOpenIdConnect( scheme, options => {
....
options.BackchannelHttpHandler = _handler;
...
}
度过了一个不眠之夜解决问题。下面的代码解决了我的问题。
服务.addidentityServer(options =&gt;{
options.IssuerUri = <Authority Url>; //<== Added this one
options.Events.RaiseSuccessEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseErrorEvents = true;
})