OWIN OpenId身份验证-注销后的活动会话



我已经实现了ASP.Net Cookie身份验证和;我的应用程序中的OWIN OpenId身份验证。我正在尝试修复一个安全漏洞,即即使在注销后会话也不会失效。

中间件实现:

app.UseCookieAuthentication(新的CookieAuthenticationOptions{AuthenticationType=CookieAuthenticationDefaults.AuthenticationType,应用程序。UseOpenIdConnectAuthentication(新的OpenIdConnectAuthenticationOptions{ClientId=客户端Id,Authority=权威,}})

注销代码(基于用户类型(:

HttpContext.GetOwinContext().Authentication.SignOut(
OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);

HttpContext.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType);

我正在Fiddler中捕获流量,并单击从网页注销。当我尝试重新发出Fiddler的请求时,它成功完成了,并且在HttpModule中,Application.User.Identity.IsAuthenticatedTrue

我有几个问题:-

  1. 这是Cookie重播攻击吗
  2. 我做错了什么,否则我会的必须通过一些破解来修复它,比如在缓存中存储cookie比较一下

从应用程序注销时,还必须从Identity server注销。否则,您的应用程序将被重定向到身份服务器,重新进行身份验证并重新登录。检查通知下的以下代码片段:

app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,    
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
}
);

你会在这里找到一些OWIN中间件设置的例子(虽然不是你问题的直接答案(

不确定这个答案是否能帮助其他人,但这里的链接提供了一些关于如何使用MVC应用程序设置openId的更多信息。

更改中间件配置

添加OpenId&startup.cs文件中的Cookies身份验证中间件。将ResponseType设置为Id_token以使openId注销也起作用。

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieHttpOnly = true,
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
CookieName = "AppCookies",
ExpireTimeSpan = TimeSpan.FromMinutes(30),
SlidingExpiration = true
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:44319/identity",

ClientId = "mvc",
Scope = "openid profile roles",
RedirectUri = "https://localhost:44319/",
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var id = n.AuthenticationTicket.Identity;
// we want to keep first name, last name, subject and roles
var givenName = id.FindFirst(Constants.ClaimTypes.GivenName);
var familyName = id.FindFirst(Constants.ClaimTypes.FamilyName);
var sub = id.FindFirst(Constants.ClaimTypes.Subject);
var roles = id.FindAll(Constants.ClaimTypes.Role);
// create new identity and set name and role claim type
var nid = new ClaimsIdentity(
id.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
nid.AddClaim(givenName);
nid.AddClaim(familyName);
nid.AddClaim(sub);
nid.AddClaims(roles);
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));                   
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);

return Task.FromResult(0);    
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if ((int)n.ProtocolMessage.RequestType ==                     (int)OpenIdConnectRequestType.Logout)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Startup.IdToken);
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});

添加注销

添加注销很容易,只需在Katana身份验证管理器中添加一个调用Signout方法的新操作:

public ActionResult Logout()
{
Session.Abandon();

// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.HttpOnly = true;
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
// clear site cookie
var siteCookie = new HttpCookie("AppCookies", "");
siteCookie.HttpOnly = true;
siteCookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(siteCookie);

Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
}

相关内容

  • 没有找到相关文章

最新更新