带有 OpenIdConnect 的 IIS 反向代理会转到错误的身份提供者
IIS Reverse Proxy with OpenIdConnect going to wrong Identity provider
OpenIdConnect (Azure) 设置
// COOKIES: Tells it to use cookies for authentication.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
CookieManager = new SystemWebCookieManager()
});
// OPEN-ID: Authenticate via Azure AD using OpenIdConnect.
//https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-openidconnect/
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
ClientId = ClientID,
Authority = Authority,
PostLogoutRedirectUri = PostLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = PrincipalService.OnAzureAuthenticationFailure,
// REFERENCE: https://russellyoung.net/2015/09/05/mvc-role-based-authorization-with-azure-active-directory-aad/
AuthorizationCodeReceived = (AuthorizationCodeReceivedNotification notification) =>
{
var username = notification.AuthenticationTicket.Identity.Name.Split('#').LastOrDefault();
Logger.Log(Level.Auth, "Azure login success! Username: '" + username + "'.");
return Task.FromResult(0);
}
}
});
ARR Url 重写设置
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="Secondary Server" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<action type="Rewrite" url="https://qa2mobile.auntmillies.com/{R:1}" />
<serverVariables>
</serverVariables>
</rule>
</rules>
</rewrite>
问题
Azure AD 身份验证正常工作,但一旦我设置了反向代理,它就开始将我带到我自己的域,就好像它是身份提供者一样。
例如https://my.domain.com/<guid>/oauth2/authorize?client_id=<guid>&etc
- 从现在开始,如果我手动将
my.domain.com
更改为 login.microsoftonline.com
,它将让我登录并继续正常工作。
- 如果我删除反向代理并正常设置服务器,它会直接进入
login.microsoftonline.com
而不是我的域。
这是什么原因造成的?我的意思是,显然是反向代理,但是如何在不删除反向代理的情况下修复它?
What is causing this? I mean, obviously the reverse proxy, but how do I fix it without removing the reverse proxy?
据我所知,如果您在 web.config 中使用 url 重写规则,它会将所有请求重写到包含 [=21] 的 https://my.domain.com/ 域=].
我建议你可以写一个新的规则来匹配 /oauth2 请求 url 直接重定向到 login.microsoftonline.com 而不是 https://my.domain.com/。然后就可以正常使用了。
更多细节,您可以参考下面的url重写规则。
<rewrite>
<rules>
<rule name="rule2" stopProcessing="true">
<match url="<talentid>/oauth2/(.*)" />
<action type="Redirect" url="https://login.microsoftonline.com/{R:0}" />
</rule>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="https://<domain>.com/{R:1}" />
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
OpenIdConnect (Azure) 设置
// COOKIES: Tells it to use cookies for authentication.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
CookieManager = new SystemWebCookieManager()
});
// OPEN-ID: Authenticate via Azure AD using OpenIdConnect.
//https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-openidconnect/
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
ClientId = ClientID,
Authority = Authority,
PostLogoutRedirectUri = PostLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = PrincipalService.OnAzureAuthenticationFailure,
// REFERENCE: https://russellyoung.net/2015/09/05/mvc-role-based-authorization-with-azure-active-directory-aad/
AuthorizationCodeReceived = (AuthorizationCodeReceivedNotification notification) =>
{
var username = notification.AuthenticationTicket.Identity.Name.Split('#').LastOrDefault();
Logger.Log(Level.Auth, "Azure login success! Username: '" + username + "'.");
return Task.FromResult(0);
}
}
});
ARR Url 重写设置
<rewrite>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="Secondary Server" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<action type="Rewrite" url="https://qa2mobile.auntmillies.com/{R:1}" />
<serverVariables>
</serverVariables>
</rule>
</rules>
</rewrite>
问题
Azure AD 身份验证正常工作,但一旦我设置了反向代理,它就开始将我带到我自己的域,就好像它是身份提供者一样。
例如https://my.domain.com/<guid>/oauth2/authorize?client_id=<guid>&etc
- 从现在开始,如果我手动将
my.domain.com
更改为login.microsoftonline.com
,它将让我登录并继续正常工作。 - 如果我删除反向代理并正常设置服务器,它会直接进入
login.microsoftonline.com
而不是我的域。
这是什么原因造成的?我的意思是,显然是反向代理,但是如何在不删除反向代理的情况下修复它?
What is causing this? I mean, obviously the reverse proxy, but how do I fix it without removing the reverse proxy?
据我所知,如果您在 web.config 中使用 url 重写规则,它会将所有请求重写到包含 [=21] 的 https://my.domain.com/ 域=].
我建议你可以写一个新的规则来匹配 /oauth2 请求 url 直接重定向到 login.microsoftonline.com 而不是 https://my.domain.com/。然后就可以正常使用了。
更多细节,您可以参考下面的url重写规则。
<rewrite>
<rules>
<rule name="rule2" stopProcessing="true">
<match url="<talentid>/oauth2/(.*)" />
<action type="Redirect" url="https://login.microsoftonline.com/{R:0}" />
</rule>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="https://<domain>.com/{R:1}" />
</rule>
</rules>
<outboundRules>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>