ASP.NET 4.8应用程序启动时的随机OWIN/OpenID行为-用户有时会自动重定向到Azure

83qze16e  于 2023-10-21  发布在  .NET
关注(0)|答案(1)|浏览(109)

奇怪的行为。
我的应用程序允许通过内部帐户(使用ASP.NET身份)和Azure AD进行身份验证。这个想法是登录屏幕显示和用户决定哪种方式。
但有时,完全随机地,第一个请求会自动重定向到Azure AD进行身份验证。我会说1出4次我开始调试应用程序,这发生。
我将日志添加到HomeController中,我知道在这些时间内,用户会自动重定向,Controller构造函数甚至从未被调用过。
这是我的Startup.Auth.cs文件:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context, user manager and signin manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
        app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            CookieManager = new SystemWebCookieManager(),
            Provider = new CookieAuthenticationProvider()
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            }
        });

        var azureAdTenant = System.Configuration.ConfigurationManager.AppSettings["AzureAD:TenantId"];
        var azureAdClientId = System.Configuration.ConfigurationManager.AppSettings["AzureAD:ClientId"];
        var azureAdRedirectUri = System.Configuration.ConfigurationManager.AppSettings["AzureAD:RedirectUri"];
        var azureAdPostLogoutRedirectUri = System.Configuration.ConfigurationManager.AppSettings["AzureAD:PostLogoutRedirectUri"];
        var azureAdAuthority = string.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["AzureAD:Authority"], azureAdTenant);

        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions("AzureAD")
            {
                ClientId = azureAdClientId,
                Authority = azureAdAuthority,
                RedirectUri = azureAdRedirectUri,
                PostLogoutRedirectUri = azureAdPostLogoutRedirectUri,
                Scope = "openid profile User.Read",
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                TokenValidationParameters = new TokenValidationParameters(),
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    RedirectToIdentityProvider = context =>
                    {
                        // Check if it's the auth request we need to modify
                        if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                        {
                            // Add the extra scope for Graph
                            context.ProtocolMessage.Scope += " https://graph.microsoft.com/Group.Read.All";
                        }

                        return Task.FromResult(0);
                    },
                    AuthenticationFailed = OnAuthenticationFailed,
                    AuthorizationCodeReceived = async context =>
                    {
                        // MSAL Confidential Client setup
                        var confidentialClient = ConfidentialClientApplicationBuilder.Create(azureAdClientId)
                            .WithClientSecret(System.Configuration.ConfigurationManager.AppSettings["AzureAD:AppSecret"])
                            .WithRedirectUri(azureAdRedirectUri)
                            .WithAuthority(new Uri($"https://login.microsoftonline.com/{azureAdTenant}/"))
                            .Build();

                        // Acquiring token using the authorization code
                        var result = await confidentialClient.AcquireTokenByAuthorizationCode(new[] { "https://graph.microsoft.com/.default" }, context.ProtocolMessage.Code)
                            .ExecuteAsync();

                        // Creating an identity for the user and adding claims
                        var appIdentity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

                        appIdentity.AddClaim(new Claim("urn:tokens:access_token", result.AccessToken));
                        appIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.JwtSecurityToken.Subject));
                        if (context.JwtSecurityToken.Claims.Any(c => c.Type == "groups"))
                            appIdentity.AddClaim(new Claim("hasGroups", "true"));

                        var externalIdentity = context.AuthenticationTicket.Identity;
                        externalIdentity.AddClaim(new Claim("urn:tokens:access_token", result.AccessToken));

                        // Sign in the user
                        context.OwinContext.Authentication.SignIn(appIdentity);
                    }
                }
            }
        );
    }

    private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
    {
        return Task.FromResult(0);
    }

    private Task OnAuthenticationSucceeded(AuthorizationCodeReceivedNotification context)
    {
        return Task.FromResult(0);
    }
}
hec6srdp

hec6srdp1#

我不知道为什么,但这个“AuthenticationMode”参数解决了这个问题:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions("AzureAD")
    {
        AuthenticationMode = AuthenticationMode.Passive,
    }
);

相关问题