为什么 Azure Function v2 的 ClaimsPrincipal 运行 中缺少 'identityProvider' 声明?
Why is the 'identityProvider' claim missing in the ClaimsPrincipal running in an Azure Function v2?
我有一个部署在 2 个环境中的 Azure Function App,一个用于开发,一个用于生产,每个都有自己的 URL。
在这两种环境中,功能都配置为允许用户使用他们的 Facebook 帐户进行身份验证。我实际上配置了 2 个不同的 Facebook 应用程序:一个用于开发环境,一个用于生产环境。
这是一个 Azure Functions 的代码,它简单地在 Application Insights 中记录所有 headers HTTP 请求以及注入的 ClaimsPrincipal 实例的所有声明:
public sealed class FindAccountFunction
{
private readonly ILogger m_logger;
public FindAccountFunction(ILoggerFactory loggerFactory)
{
m_logger = loggerFactory.CreateLogger<FindAccountFunction>();
}
[FunctionName("FindAccount")]
public async Task<IActionResult> Run(
[HttpTrigger(
AuthorizationLevel.Function,
"get",
Route = "v1/accounts"
)]
HttpRequest httpRequest,
ClaimsPrincipal claimsPrincipal)
{
// Logs all Headers of the httpRequest
// Logs all the claims of claimsPrincipal.
return new OkObjectResult("Ok");
}
}
在生产环境中一切正常,因为我可以通过获取 nameidentifier 和 identityprovider 声明来识别连接的用户,如以下日志所示:
问题出现在开发环境中。出于某种原因,我得到的数字是 nameidentifier(而不是以 sid: 开头的十六进制数),而 identityprovider 完全从声明中丢失:
问题
什么会导致 nameidentifier 在开发环境中是一个数字,而 identityprovider 声称在 ClaimsPrincipal 实例中丢失?
是否有可能缺少的权限?
更新
我在两个环境中都添加了 setting WEBSITE_AUTH_HIDE_DEPRECATED_SID 并将其设置为 true。
这是来自开发环境的 JWT 令牌:
{
"sub": "sid:a3xxxxxxxxxxxxx",
"idp": "facebook",
"ver": "4",
"iss": "https://dev.company.ca/",
"aud": "https://dev.company.ca/",
"exp": 1557524710,
"nbf": 1552343212
}
这是来自生产环境的 JWT 令牌:
{
"sub": "sid:06afxxxxxxxx",
"idp": "facebook",
"ver": "4",
"iss": "https://prod.company.ca/",
"aud": "https://prod.company.ca/",
"exp": 1557526156,
"nbf": 1552342494
}
仍然,开发环境没有提供预期的 identityprovider 声明,并且 ClaimsPrincipal 实例中的 nameidentifier 声明与 JWT 的不同。
现在,作为一种变通方法,我只是使用 JWT 来提取 sid,但我更希望框架能够为我提供这个。
更新 2
我已将其打开为 issue on github。
此问题是由 the GitHub thread 中指定的 18 年夏季发生的重大更改引起的。
解决方法如下:
Summary
The App Service Authentication/Authorization feature made a breaking
change for X-ZUMO-AUTH token behavior for apps that enabled EasyAuth
after mid-2018. That breaking change is being reverted in the next few
weeks.
Workaround
In the meantime, if you want your dev application behavior to match
your production application's behavior, you can do so by deleting the
"runtimeVersion" property in your site auth settings. You can do so
with the following.
- Navigate to https://resources.azure.com/
- Via the drop down menus on the side, navigate to
subscriptions > (subName) > resourceGroups > (resourceGroupName) > providers >
Microsoft.Web > sites > (siteName) > config > authSettings.
- Edit the
json object under properties and set runtimeVersion to "".
- Use the PUT operation to make those changes.
- If these steps were successful you should see
runtimeVersion no longer present in your application.
NOTE: If you disable and then reenable Authentication/Authorization at
any point, it will add a value for "runtimeVersion", and you will have
to follow the above steps again to remove it.
我有一个部署在 2 个环境中的 Azure Function App,一个用于开发,一个用于生产,每个都有自己的 URL。
在这两种环境中,功能都配置为允许用户使用他们的 Facebook 帐户进行身份验证。我实际上配置了 2 个不同的 Facebook 应用程序:一个用于开发环境,一个用于生产环境。
这是一个 Azure Functions 的代码,它简单地在 Application Insights 中记录所有 headers HTTP 请求以及注入的 ClaimsPrincipal 实例的所有声明:
public sealed class FindAccountFunction
{
private readonly ILogger m_logger;
public FindAccountFunction(ILoggerFactory loggerFactory)
{
m_logger = loggerFactory.CreateLogger<FindAccountFunction>();
}
[FunctionName("FindAccount")]
public async Task<IActionResult> Run(
[HttpTrigger(
AuthorizationLevel.Function,
"get",
Route = "v1/accounts"
)]
HttpRequest httpRequest,
ClaimsPrincipal claimsPrincipal)
{
// Logs all Headers of the httpRequest
// Logs all the claims of claimsPrincipal.
return new OkObjectResult("Ok");
}
}
在生产环境中一切正常,因为我可以通过获取 nameidentifier 和 identityprovider 声明来识别连接的用户,如以下日志所示:
问题出现在开发环境中。出于某种原因,我得到的数字是 nameidentifier(而不是以 sid: 开头的十六进制数),而 identityprovider 完全从声明中丢失:
问题
什么会导致 nameidentifier 在开发环境中是一个数字,而 identityprovider 声称在 ClaimsPrincipal 实例中丢失?
是否有可能缺少的权限?
更新
我在两个环境中都添加了 setting WEBSITE_AUTH_HIDE_DEPRECATED_SID 并将其设置为 true。
这是来自开发环境的 JWT 令牌:
{
"sub": "sid:a3xxxxxxxxxxxxx",
"idp": "facebook",
"ver": "4",
"iss": "https://dev.company.ca/",
"aud": "https://dev.company.ca/",
"exp": 1557524710,
"nbf": 1552343212
}
这是来自生产环境的 JWT 令牌:
{
"sub": "sid:06afxxxxxxxx",
"idp": "facebook",
"ver": "4",
"iss": "https://prod.company.ca/",
"aud": "https://prod.company.ca/",
"exp": 1557526156,
"nbf": 1552342494
}
仍然,开发环境没有提供预期的 identityprovider 声明,并且 ClaimsPrincipal 实例中的 nameidentifier 声明与 JWT 的不同。
现在,作为一种变通方法,我只是使用 JWT 来提取 sid,但我更希望框架能够为我提供这个。
更新 2
我已将其打开为 issue on github。
此问题是由 the GitHub thread 中指定的 18 年夏季发生的重大更改引起的。
解决方法如下:
Summary
The App Service Authentication/Authorization feature made a breaking change for
X-ZUMO-AUTHtoken behavior for apps that enabled EasyAuth after mid-2018. That breaking change is being reverted in the next few weeks.Workaround
In the meantime, if you want your dev application behavior to match your production application's behavior, you can do so by deleting the "runtimeVersion" property in your site auth settings. You can do so with the following.
- Navigate to https://resources.azure.com/
- Via the drop down menus on the side, navigate to
subscriptions > (subName) > resourceGroups > (resourceGroupName) > providers > Microsoft.Web > sites > (siteName) > config > authSettings.- Edit the
jsonobject under properties and setruntimeVersionto "".- Use the PUT operation to make those changes.
- If these steps were successful you should see
runtimeVersionno longer present in your application.NOTE: If you disable and then reenable Authentication/Authorization at any point, it will add a value for "
runtimeVersion", and you will have to follow the above steps again to remove it.