将 OWIN 从 2.1 更新到 3.0.1 会破坏外部身份验证
Updating OWIN from 2.1 to 3.0.1 breaks external auth
我很难在我的开源项目中调试 OWIN 包升级。简短的描述是,当我从 v2.1 升级时,在新的 v3 版本中使用外部登录会中断,在调试过程中我无法弄清楚有什么不同。请记住,我的代码 none 已更改,我只更新 OWIN 组件(Microsoft.Owin 中的包和其他子名称空间)。
以这种形式开头post:
<form action="/Forums/Authorization/ExternalLogin?ReturnUrl=http%3A%2F%2Flocalhost%3A1973%2FForums" method="post"><input name="__RequestVerificationToken" type="hidden" value="--verificationtoken--" /> <h2>External Logins</h2>
<p>
<button type="submit" id="Google" name="provider" value="Google" class="btn btn-primary">Google</button>
</p>
</form>
它 post 到这个方法:
https://github.com/POPWorldMedia/POPForums/blob/v13.0.0/PopForums/Controllers/AuthorizationController.cs
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ExternalLogin(string provider, string returnUrl)
{
return new ChallengeResult(provider, Url.Action("ExternalLoginCallback", "Authorization", new { loginProvider = provider, ReturnUrl = returnUrl, area = "PopForums" }));
}
回调在这里:
public async Task<ActionResult> ExternalLoginCallback(string loginProvider, string returnUrl)
{
var authentication = _owinContext.Authentication;
var authResult = await _externalAuthentication.GetAuthenticationResult(authentication);
if (authResult == null)
return RedirectToAction("Login", "Account", new { error = Resources.ExpiredLogin });
...
public async Task<ExternalAuthenticationResult> GetAuthenticationResult(IAuthenticationManager authenticationManager)
{
var authResult = await authenticationManager.AuthenticateAsync(ExternalCookieName);
if (authResult == null)
return null;
...
AuthenticationManager 可以是 Google、Facebook 等包中 IAuthenticationManager 的任何实现。问题是它们都失败了并且 return 一个空对象,所以应用程序无法登录用户。
重现:
- 克隆 v13 分支:https://github.com/POPWorldMedia/POPForums.git
- 运行 根据说明在本地应用程序:https://github.com/POPWorldMedia/POPForums/wiki/Documentation
- 在管理员中,选择外部登录页面,为其中一个提供商添加凭据并选中复选框。
- 注销,然后使用按钮使用新提供商登录。
- 看它失败,看到上面ExternalAuthentication GetAuthenticationResult方法的authResult为null。
我一直想知道 OWIN 配置中是否发生了我不理解的更改。作为记录,就在这里:https://github.com/POPWorldMedia/POPForums/blob/v13.0.0/PopForums/Configuration/PopForumsOwinStartup.cs
using System;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Owin;
using PopForums.ExternalLogin;
using PopForums.Services;
using PopForums.Web;
namespace PopForums.Configuration
{
public class PopForumsOwinStartup
{
public void Configuration(IAppBuilder app)
{
var setupService = PopForumsActivation.ServiceLocator.GetInstance<ISetupService>();
if (!setupService.IsDatabaseSetup())
return;
var settings = PopForumsActivation.ServiceLocator.GetInstance<ISettingsManager>().Current;
app.SetDefaultSignInAsAuthenticationType(ExternalAuthentication.ExternalCookieName);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = ExternalAuthentication.ExternalCookieName,
AuthenticationMode = AuthenticationMode.Passive,
CookieName = CookieAuthenticationDefaults.CookiePrefix + ExternalAuthentication.ExternalCookieName,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
if (settings.UseTwitterLogin)
app.UseTwitterAuthentication(
consumerKey: settings.TwitterConsumerKey,
consumerSecret: settings.TwitterConsumerSecret);
if (settings.UseMicrosoftLogin)
app.UseMicrosoftAccountAuthentication(
clientId: settings.MicrosoftClientID,
clientSecret: settings.MicrosoftClientSecret);
if (settings.UseFacebookLogin)
app.UseFacebookAuthentication(
appId: settings.FacebookAppID,
appSecret: settings.FacebookAppSecret);
if (settings.UseGoogleLogin)
app.UseGoogleAuthentication(settings.GoogleClientId, settings.GoogleClientSecret);
}
}
}
有什么想法吗?
不确定这是否有帮助,但如果您查看模板,请使用 AuthenticationManager.ExternalLinkLoginInfoAsync() 检索 OAuth 回调的结果。你能看看我
[AllowAnonymous]
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> ExternalLinkLogin(string provider) //Google,Twitter etc.
{
return new ChallengeResult(provider, Url.Action("ExternalLinkLoginCallback"), userId);
}
[AllowAnonymous]
[HttpGet]
public async Task<ActionResult> ExternalLinkLoginCallback()
{
// Handle external Login Callback
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(XsrfKey,userId);
if (loginInfo == null)
{
IdentitySignout(); // to be safe we log out
return RedirectToAction("Register", new {message = "Unable to authenticate with external login."});
}
...
IdentitySignIn(userId, userName, returnUrl);
}
另外,您的启动代码似乎与默认模板略有不同。
您正在使用:
app.SetDefaultSignInAsAuthenticationType(ExternalAuthentication.ExternalCookieName);
默认模板使用的位置:
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
您可以快速比较模板在我的一篇博文的摘要中使用的内容:
虽然听到这对您不利,但还是很沮丧 - 这些东西应该是向后兼容的 - 使用像这样的核心系统组件来破坏现有代码是不行的。
我很难在我的开源项目中调试 OWIN 包升级。简短的描述是,当我从 v2.1 升级时,在新的 v3 版本中使用外部登录会中断,在调试过程中我无法弄清楚有什么不同。请记住,我的代码 none 已更改,我只更新 OWIN 组件(Microsoft.Owin 中的包和其他子名称空间)。
以这种形式开头post:
<form action="/Forums/Authorization/ExternalLogin?ReturnUrl=http%3A%2F%2Flocalhost%3A1973%2FForums" method="post"><input name="__RequestVerificationToken" type="hidden" value="--verificationtoken--" /> <h2>External Logins</h2>
<p>
<button type="submit" id="Google" name="provider" value="Google" class="btn btn-primary">Google</button>
</p>
</form>
它 post 到这个方法: https://github.com/POPWorldMedia/POPForums/blob/v13.0.0/PopForums/Controllers/AuthorizationController.cs
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ExternalLogin(string provider, string returnUrl)
{
return new ChallengeResult(provider, Url.Action("ExternalLoginCallback", "Authorization", new { loginProvider = provider, ReturnUrl = returnUrl, area = "PopForums" }));
}
回调在这里:
public async Task<ActionResult> ExternalLoginCallback(string loginProvider, string returnUrl)
{
var authentication = _owinContext.Authentication;
var authResult = await _externalAuthentication.GetAuthenticationResult(authentication);
if (authResult == null)
return RedirectToAction("Login", "Account", new { error = Resources.ExpiredLogin });
...
public async Task<ExternalAuthenticationResult> GetAuthenticationResult(IAuthenticationManager authenticationManager)
{
var authResult = await authenticationManager.AuthenticateAsync(ExternalCookieName);
if (authResult == null)
return null;
...
AuthenticationManager 可以是 Google、Facebook 等包中 IAuthenticationManager 的任何实现。问题是它们都失败了并且 return 一个空对象,所以应用程序无法登录用户。
重现:
- 克隆 v13 分支:https://github.com/POPWorldMedia/POPForums.git
- 运行 根据说明在本地应用程序:https://github.com/POPWorldMedia/POPForums/wiki/Documentation
- 在管理员中,选择外部登录页面,为其中一个提供商添加凭据并选中复选框。
- 注销,然后使用按钮使用新提供商登录。
- 看它失败,看到上面ExternalAuthentication GetAuthenticationResult方法的authResult为null。
我一直想知道 OWIN 配置中是否发生了我不理解的更改。作为记录,就在这里:https://github.com/POPWorldMedia/POPForums/blob/v13.0.0/PopForums/Configuration/PopForumsOwinStartup.cs
using System;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Owin;
using PopForums.ExternalLogin;
using PopForums.Services;
using PopForums.Web;
namespace PopForums.Configuration
{
public class PopForumsOwinStartup
{
public void Configuration(IAppBuilder app)
{
var setupService = PopForumsActivation.ServiceLocator.GetInstance<ISetupService>();
if (!setupService.IsDatabaseSetup())
return;
var settings = PopForumsActivation.ServiceLocator.GetInstance<ISettingsManager>().Current;
app.SetDefaultSignInAsAuthenticationType(ExternalAuthentication.ExternalCookieName);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = ExternalAuthentication.ExternalCookieName,
AuthenticationMode = AuthenticationMode.Passive,
CookieName = CookieAuthenticationDefaults.CookiePrefix + ExternalAuthentication.ExternalCookieName,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
if (settings.UseTwitterLogin)
app.UseTwitterAuthentication(
consumerKey: settings.TwitterConsumerKey,
consumerSecret: settings.TwitterConsumerSecret);
if (settings.UseMicrosoftLogin)
app.UseMicrosoftAccountAuthentication(
clientId: settings.MicrosoftClientID,
clientSecret: settings.MicrosoftClientSecret);
if (settings.UseFacebookLogin)
app.UseFacebookAuthentication(
appId: settings.FacebookAppID,
appSecret: settings.FacebookAppSecret);
if (settings.UseGoogleLogin)
app.UseGoogleAuthentication(settings.GoogleClientId, settings.GoogleClientSecret);
}
}
}
有什么想法吗?
不确定这是否有帮助,但如果您查看模板,请使用 AuthenticationManager.ExternalLinkLoginInfoAsync() 检索 OAuth 回调的结果。你能看看我
[AllowAnonymous]
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> ExternalLinkLogin(string provider) //Google,Twitter etc.
{
return new ChallengeResult(provider, Url.Action("ExternalLinkLoginCallback"), userId);
}
[AllowAnonymous]
[HttpGet]
public async Task<ActionResult> ExternalLinkLoginCallback()
{
// Handle external Login Callback
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(XsrfKey,userId);
if (loginInfo == null)
{
IdentitySignout(); // to be safe we log out
return RedirectToAction("Register", new {message = "Unable to authenticate with external login."});
}
...
IdentitySignIn(userId, userName, returnUrl);
}
另外,您的启动代码似乎与默认模板略有不同。
您正在使用:
app.SetDefaultSignInAsAuthenticationType(ExternalAuthentication.ExternalCookieName);
默认模板使用的位置:
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
您可以快速比较模板在我的一篇博文的摘要中使用的内容:
虽然听到这对您不利,但还是很沮丧 - 这些东西应该是向后兼容的 - 使用像这样的核心系统组件来破坏现有代码是不行的。