带有 OpenIdConnect 的 IIS 反向代理会转到错误的身份提供者

IIS Reverse Proxy with OpenIdConnect going to wrong Identity provider

OpenIdConnect (Azure) 设置

// COOKIES: Tells it to use cookies for authentication.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    CookieManager = new SystemWebCookieManager()
});

// OPEN-ID: Authenticate via Azure AD using OpenIdConnect.
//https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-openidconnect/
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions()
{
    ClientId = ClientID,
    Authority = Authority,
    PostLogoutRedirectUri = PostLogoutRedirectUri,
    Notifications = new OpenIdConnectAuthenticationNotifications()
    {
        AuthenticationFailed = PrincipalService.OnAzureAuthenticationFailure,
        // REFERENCE: https://russellyoung.net/2015/09/05/mvc-role-based-authorization-with-azure-active-directory-aad/
        AuthorizationCodeReceived = (AuthorizationCodeReceivedNotification notification) =>
        {
            var username = notification.AuthenticationTicket.Identity.Name.Split('#').LastOrDefault();
            Logger.Log(Level.Auth, "Azure login success! Username: '" + username + "'.");
            return Task.FromResult(0);
        }
    }
});

ARR Url 重写设置

<rewrite>
    <outboundRules> 
        <preConditions> 
            <preCondition name="ResponseIsHtml1"> 
                <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" /> 
            </preCondition> 
        </preConditions> 
    </outboundRules>
    <rules>
        <rule name="Secondary Server" stopProcessing="true">
            <match url="(.*)" />
            <conditions>
                <add input="{CACHE_URL}" pattern="^(https?)://" />
            </conditions>
            <action type="Rewrite" url="https://qa2mobile.auntmillies.com/{R:1}" />
            <serverVariables>
            </serverVariables>
        </rule>
    </rules>
</rewrite>

问题

Azure AD 身份验证正常工作,但一旦我设置了反向代理,它就开始将我带到我自己的域,就好像它是身份提供者一样。

例如https://my.domain.com/<guid>/oauth2/authorize?client_id=<guid>&etc

这是什么原因造成的?我的意思是,显然是反向代理,但是如何在不删除反向代理的情况下修复它?

What is causing this? I mean, obviously the reverse proxy, but how do I fix it without removing the reverse proxy?

据我所知,如果您在 web.config 中使用 url 重写规则,它会将所有请求重写到包含 [=21] 的 https://my.domain.com/ 域=].

我建议你可以写一个新的规则来匹配 /oauth2 请求 url 直接重定向到 login.microsoftonline.com 而不是 https://my.domain.com/。然后就可以正常使用了。

更多细节,您可以参考下面的url重写规则。

    <rewrite>
        <rules>
          <rule name="rule2" stopProcessing="true">
            <match url="<talentid>/oauth2/(.*)" />
            <action type="Redirect" url="https://login.microsoftonline.com/{R:0}" />
          </rule>
            <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                <match url="(.*)" />
                <action type="Rewrite" url="https://<domain>.com/{R:1}" />

            </rule>
        </rules>
        <outboundRules>

            <preConditions>
                <preCondition name="ResponseIsHtml1">
                    <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                </preCondition>
            </preConditions>
        </outboundRules>
    </rewrite>