Azure Active Directory OpenID 在 Web 浏览器中抛出 nonce 异常,但在 Web 浏览器控件中不抛出
Azure Active Directory OpenID throwing nonce exception in web browser but not in web browser control
我正在使用带有 OpenID 的 OWIN 身份验证来对 Azure AD 端点进行身份验证。我的应用程序通常在 win-forms web-browser 控件中运行,我没有遇到任何问题。但是,当使用现代 Web 浏览器进行身份验证时,我在 Azure Active Directory 的响应重定向中的中间件 Next.Invoke(context) 中收到 "nonce" 异常。
我已将响应 headers 的提琴手与控件和网络浏览器连接在一起。它们是不同的,但我希望对原因有所了解。
web-browser 控件和 Web 浏览器之间的哪些差异可能导致此问题?是否有解决方案/解决方法?
在使用 IE 11 的 web-browser 控件中成功,但在 IE 11、Edge、Chrome 和 Firefox 中失败。
注意:JWT 在这两种情况下都包含随机数标记,它不会在中间件中读取。
我正在使用:
Microsoft.Owin.Security.OpenIdConnect, Version=4.0.1.0
Microsoft.IdentityModel.Protocols.OpenIdConnect, Version=5.3.0.0
public class MyMiddleWare : OwinMiddleware
{
public override async Task Invoke(IOwinContext context)
{
try
{
await Next.Invoke(context);
...
错误
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException
HResult=0x80131500
Message=IDX21323: RequireNonce is '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Source=Microsoft.IdentityModel.Protocols.OpenIdConnect
StackTrace:
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<InvokeReplyPathAsync>d__16.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.<RunApp>d__7.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at ....<Invoke>d__5.MoveNext() in ...:line 29
成功
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: ffdb4ab7-a6b4-457e-b663-448727569900
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,228204.2529,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7jTNFH8tmqm9RCwduQg-S-Hg1JD5RJF6fmJ52lpVgyxkqYMpRP9IAURkUcO6yYTTJurmwF93DSyIr0GyvQmFO8ecuJra5gpBZcknhXnjHgMGZdW-IJg-maq9XPatsYpm_0vV7APXW89dnDq_rqOqXEIHYKBAUjAykyVlnq-2g0fN6UJhQbW0HcK78Fnu4ImfYqRWX7MmxILF3SXC9Ocmlphf22ThKPsZVJ2ZW7M7TaF7sBA94NokK75BWpOsYOeeBOX4VdJaJ3KQ2Qzx39cLNurZdlokZcv2QHhxif3FTBsFBlTRBeuHu2CZ5dRlG4n1DBRjCU4cgfXXkejKsQANLKGN3CFbZDPPlCfoZ3JVwrtWMCBUQRAnKI2k-CBgzY893M3dHHGdikMb6NfrlhIHxj7RUeVyeZNt655OYKz80SgEbsqOnXrEhs5uLipuotCCo0KlBD9c32N3wcEjtRcWccg5lhU9zj8j_BEmc0eDx-wWsayXyeFquHBUhtbi8nsaBzDyDwnr1m9JRfItjIy7CwmxmOkgdd0fs0I--Ge1qpFNq4dtcvN59iai9eBSPa6rU_iNFOwXcBvzickxhT5P9FQWEFtiXJqu2yCfiyr29nk_3lnERJmPKvH7w9mNhNOZhY1gftaYKRa41RVCaFvDZxJHYjHP5-Zt8kD9POHc6Q1DKF9auL2C6tH60UHPXyeaNb1WpVq_cni_RJ4b7IvsTni9fDhFWvBSgOdoIdfrXj6oO6KhkBX-IjIJ21NirfXGxLLYo_xU9d7vQsin9pfrWdipoXvwtPgANqysVw443-HwUvLhPTuXxGsDdv0HzrvtxzVidvY_ihN45KXR4LsYQDMRNvPlCGYVJDxc3OQfV1LEgACAAQAAQAgAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7RkRJgm8PalY-u9YYf_I67Wxc1rqqmcQjzhap-HvzYPcg57SXUcZdCfoXzfJrakxvqnrb2ZNo9C-ZHRotgvjLc2dW6cgdeWzR3HosW2wnq46QMLuM5_9PgkVqu618TY1YjbrGHJt-DrkqYBllosEsRgIn7vtJbIDUcbIX_lY1v3x_eZDvxDC54mXpu4ahOFb2PpcMWOhQc2FvpjlBYy7n6SAAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+53636a21-7ae1-44a-91b6-42bcae6e95b8; path=/; secure; SameSite=None
Set-Cookie: ch=so8u3S2kSqpfBZhYUj-R6A5pGKKa5C_O1x0BvcrUeo; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAACQNQBRU3jT6bcBQLZNUj7enEyqLfYUuELonMRUstbWJj7fo8pTcQpro4Nep0rWS5DEHS7CAeNTSacaPYMXV8117FRdTSbvvMTasm4xDvW754ejP38JWtrZYkzEgOR8GyYsywDES4s7Fh9p1Fy_m5ImVzc9weUEiDlc1yhXxSkDbDmnlv9-SjJUJmiespfBsaXtzQSrEQaPEpBT5PbY5J_oAFgzbSA0gmlO9yOWOVGOR7IsIm8L4HvgJl25zOJWRBDSHYe8uTsCyfclx9oW_iZeQ3qtgczWXpg4OSIJqB3NiAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAACQN9QBRU3jT6bcBQLZNUj7MpWzBN_CNnDvk5B7KLIuFNmpFhsjxyNrRZ7uaQBysuOYD52BW1DC2Rp5zZbk3RPFsZu0QKJeaCDiXBBgy7YMVKIquSviPZZfMIw1HPfm0s6Sf0lMfdgA0muXF6YFxneaZCsDq53lm6qYIlzUNhv39buD6xuCgtFl6d1OC84T65eGPSPPPBTJGO4un5QCVByDM0wbwYtXXr68c08cbT2U_ucgQ4tffRT-OUxKKlvz6nR3NcwD-Irn2Kn3Ay6_IBf7IAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Ajcv9X5TAupIu9O6f-Jaazeh6BYDAQAAAJmjNtUOAAAAVCafUwEAACZpjbVDgAAAMDn2V0DAAAA46Y21Q4AAAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=AQABAAAAAACQNQBRU3jT6bcBQLZNUj7rM2IjQVNxnrEqNXHtt2eNwsyLtgxftnSP3A1fpoRokG5weF27jPP4N4DTNZQI9-zxNnJXVD6jVR_FASWy6wvo-jYy0ddLCsC6upC3Y6n_YZSdCFixngM6Mnv3h4wAsPDbf6pzuUl7b0U8OoVe0zThFTTuQgprrs3XjHm9zEzlfAgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:29:09 GMT
Content-Length: 2650
失败
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: d8d44ea8-f12b-4f77-a25e-c1802adc7300
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: AADSSO=; expires=Sun, 13-Oct-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACN9QBRU3jT6bcBQLZNUj7Ng4kTNHEzlSGq4cyWxjUgjdQKPLQpDmPkulhBzsOCuvbmS0f1XHOHjqpDjRbTlT6r7VIjA0Gmsd6jlC2vcXMeifp2g1l5iUmaRS7sRA7XYoM1lRB6BB8sR1iNU8lL5G8Pff1qnDDe0O6Y5DE3yl_V02Cl_g_fifjTWGqG32JCUoXwknLW7gJi2k6GwVEq50rLqOYcSWpC72Q4bvtV1MY7CINWCUtpfse-gGcFYHmA67eGB8a4xwzvZnVfXdBHDvGuuqtDeXp1cprMCHYX9w3PAH1Ll7wVjZj4sUm0YWzm7G0gl9ngSqObM_vigH_KiXPsVoezhlBN_Xx0pkUpgbcTg2jCZ65xmSMkG_pegf28Zbyhpde-nqLB3_apx4_CJKr4BnJfklyRWvfZay5rtPJ70fpvP0KefPCyyE-liJxa47S6omJGr3IYZsmqlXQCGnYxgV7R2JFhdatTqiMuoKaTZGi_biglipMOKq0CIwBAOhQTlnAvO3TQInL2pKu96qbGo8f4wC6qzKnkGyPRenl66HZtZ1AAtkopLm-3AazYwYe_0Ex661018bmRQ439uy1p8otKT3ZnLaF2tjbAS5oXqCixevywawSsL-PhF69GYUgACAAQABQAQAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRUjT6bcBQLZNUj7OegOzQKPWPto8WclZJmDLwYNjiEsn4OirFaDPw1GEKee53a1iFcD3LuFzjBN3PXqHmju5Wsfusj3mNowv15IWyv5qVIsSxHYlA1ESmxtT-fZsiTpW7anVdEl43kycsgEDFYjROEA_OzMt5ZdnFIH1rv5h0v4SQCrPBrofk4YRZ8PnxC-L_hvgA3jr5-YVA13aRcZdzXqAj3idML1MuwlBmXpALitYwCHaMosawMXp3mvbGSS8ly0SuW5509E9MY3Vlk1ySPPgId3z0dfK6q0hq9rdUsr7d7AZyGkmDoxGT-zjNqbBGKw9SqN0q77NYpAZZuyqnJHgxcYAilPCBi208PZ6QKuwKKGHey3J3XwtRVaJ_uBU0Ksx3uZHYWWk2plqP3Agv2EJlwqhCkoWmNMGsN84GoijysmiWizFOWaeQHcnEnBDzm9dON2eqrdTdWFUZNc7SIoLp4vhTGS7hHhSDVatAiIZX_46bVFkxGAXty6ZEOLnth2q8zQ4SbSBuccv1l2oFLKmqli2hnE5CHUuAcXazhhXSCasCFRZRrAkscqIi7mcZ2YRMiEaYZn6H092LPji0leYDNCCasKLQ-Xt1N-oJ1_aVETetoAE5_KmSoi9RV3v4rWtXOAAGvEUcfdFCAof0yRocLmjatN4HV2aa6NnDTs8hPdO61u_WsJkBjuDh8nM5B4JljqxwC4WeoQdL5G6Mq10qI6FYKqVsVwkJEyKWU01v7n_xqBFUwDoDogACAAQACwAQAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+d098c80-efb8-4b0f-9ef3-eb50f58728f9; path=/; secure; SameSite=None
Set-Cookie: ch=M9_iBKa5h4GB9fhFhfjvoUmR0yjMYMpfKah1_rdomE; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAAQN9QBRU3jT6bcBQLZNUj74Z7ZEQzlF4uGSSwnUP9-Ja0eqL75M-YOBzwUWC_4Lu7A6LaJn0TBLvvMwdpkJbFLAIIGzUo8eMCLp0vXHNvrALsBRbAa1gwh7KB-M9BN-gD6nJjpKUk3tHqvFtg7c0vK6eNo4qY7r1dwIg__VOiz6aD_AN1FvNYDh-wONdgBOfLnEllftJJEZnXSwpJ6YuNGFVDZ3d4vCjAhR5Ph7IueNj783JtQEdNXVBERuIk7h6mwRqPy3lzkMhuZvtaG2359Jk93zIGAUVNb56ibCASbsCAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7g4TAdyzUlSo2ftZ1xNmrElg_4b6mDzvn_1n-8TExkhRaPr1e8skwnPVUggSoNHxL6SQsKWCa5j_E67GlrtdtB1qlEEKpPr-fgpGAjXSYt7lC6Qxms29L-q7kBEoD--ldp0MNTtuSbqyMqSWdzrfeMskcJx-D_GwYFVT46CGOtw4ScySBxVBWJ8JGuQJcAT6i1tuHzZO2TlOLliw_H7dOuYeiKGq2CbwTcMKFPydTuBSbTlfmRdIjQ3gBHmxTQ9qIAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Au_FFTZRMRlAl59trPoUI0iyECHoAgAAHynNtUOAAAAwOfZXQIAAACHpzbVDgAAAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:30:46 GMT
Content-Length: 2522
Asp.net OpenID Connect (OIDC) 中间件使用 nonce cookie 来防止安全重放攻击。如错误所述,当应用程序在经过身份验证的请求中没有看到 nonce cookie 时,它会抛出上述异常。 Cookie 是基于域的,因此一旦为特定域设置了它们,只要它们仍然有效,对该域的所有后续请求都将包含这些 cookie。
因此,请确保网络浏览器控件和网络浏览器身份验证域相同。
这里的解决方法是redirect the request back to the same domain原先认证后使用。要控制 Azure AD 将经过身份验证的请求发送回应用程序的位置,请在下面的 ConfigureAuth 方法中设置 OpenIdConnectAuthentications.RedirectUri 属性。
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://www.contonso.com"
});
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
}
似乎 winform 的网络浏览器控件正在操纵请求中的 SameSite cookie。
我错误地配置了服务器以实施 SameSite=strict,这阻止了现代浏览器中的任何 OpenID 身份验证。因为winform的web browser control不包含这个cookie我才能够成功登录。
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
<conditions>
</conditions>
</rule>
我正在使用带有 OpenID 的 OWIN 身份验证来对 Azure AD 端点进行身份验证。我的应用程序通常在 win-forms web-browser 控件中运行,我没有遇到任何问题。但是,当使用现代 Web 浏览器进行身份验证时,我在 Azure Active Directory 的响应重定向中的中间件 Next.Invoke(context) 中收到 "nonce" 异常。
我已将响应 headers 的提琴手与控件和网络浏览器连接在一起。它们是不同的,但我希望对原因有所了解。
web-browser 控件和 Web 浏览器之间的哪些差异可能导致此问题?是否有解决方案/解决方法?
在使用 IE 11 的 web-browser 控件中成功,但在 IE 11、Edge、Chrome 和 Firefox 中失败。
注意:JWT 在这两种情况下都包含随机数标记,它不会在中间件中读取。
我正在使用:
Microsoft.Owin.Security.OpenIdConnect, Version=4.0.1.0
Microsoft.IdentityModel.Protocols.OpenIdConnect, Version=5.3.0.0
public class MyMiddleWare : OwinMiddleware
{
public override async Task Invoke(IOwinContext context)
{
try
{
await Next.Invoke(context);
...
错误
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException
HResult=0x80131500
Message=IDX21323: RequireNonce is '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.
Source=Microsoft.IdentityModel.Protocols.OpenIdConnect
StackTrace:
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<AuthenticateCoreAsync>d__9.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<InvokeReplyPathAsync>d__16.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContextStage.<RunApp>d__7.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__5.MoveNext()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at ....<Invoke>d__5.MoveNext() in ...:line 29
成功
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: ffdb4ab7-a6b4-457e-b663-448727569900
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,228204.2529,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7jTNFH8tmqm9RCwduQg-S-Hg1JD5RJF6fmJ52lpVgyxkqYMpRP9IAURkUcO6yYTTJurmwF93DSyIr0GyvQmFO8ecuJra5gpBZcknhXnjHgMGZdW-IJg-maq9XPatsYpm_0vV7APXW89dnDq_rqOqXEIHYKBAUjAykyVlnq-2g0fN6UJhQbW0HcK78Fnu4ImfYqRWX7MmxILF3SXC9Ocmlphf22ThKPsZVJ2ZW7M7TaF7sBA94NokK75BWpOsYOeeBOX4VdJaJ3KQ2Qzx39cLNurZdlokZcv2QHhxif3FTBsFBlTRBeuHu2CZ5dRlG4n1DBRjCU4cgfXXkejKsQANLKGN3CFbZDPPlCfoZ3JVwrtWMCBUQRAnKI2k-CBgzY893M3dHHGdikMb6NfrlhIHxj7RUeVyeZNt655OYKz80SgEbsqOnXrEhs5uLipuotCCo0KlBD9c32N3wcEjtRcWccg5lhU9zj8j_BEmc0eDx-wWsayXyeFquHBUhtbi8nsaBzDyDwnr1m9JRfItjIy7CwmxmOkgdd0fs0I--Ge1qpFNq4dtcvN59iai9eBSPa6rU_iNFOwXcBvzickxhT5P9FQWEFtiXJqu2yCfiyr29nk_3lnERJmPKvH7w9mNhNOZhY1gftaYKRa41RVCaFvDZxJHYjHP5-Zt8kD9POHc6Q1DKF9auL2C6tH60UHPXyeaNb1WpVq_cni_RJ4b7IvsTni9fDhFWvBSgOdoIdfrXj6oO6KhkBX-IjIJ21NirfXGxLLYo_xU9d7vQsin9pfrWdipoXvwtPgANqysVw443-HwUvLhPTuXxGsDdv0HzrvtxzVidvY_ihN45KXR4LsYQDMRNvPlCGYVJDxc3OQfV1LEgACAAQAAQAgAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAACQN9QBRU3jT6bcBQLZNUj7RkRJgm8PalY-u9YYf_I67Wxc1rqqmcQjzhap-HvzYPcg57SXUcZdCfoXzfJrakxvqnrb2ZNo9C-ZHRotgvjLc2dW6cgdeWzR3HosW2wnq46QMLuM5_9PgkVqu618TY1YjbrGHJt-DrkqYBllosEsRgIn7vtJbIDUcbIX_lY1v3x_eZDvxDC54mXpu4ahOFb2PpcMWOhQc2FvpjlBYy7n6SAAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+53636a21-7ae1-44a-91b6-42bcae6e95b8; path=/; secure; SameSite=None
Set-Cookie: ch=so8u3S2kSqpfBZhYUj-R6A5pGKKa5C_O1x0BvcrUeo; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:29:09 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAACQNQBRU3jT6bcBQLZNUj7enEyqLfYUuELonMRUstbWJj7fo8pTcQpro4Nep0rWS5DEHS7CAeNTSacaPYMXV8117FRdTSbvvMTasm4xDvW754ejP38JWtrZYkzEgOR8GyYsywDES4s7Fh9p1Fy_m5ImVzc9weUEiDlc1yhXxSkDbDmnlv9-SjJUJmiespfBsaXtzQSrEQaPEpBT5PbY5J_oAFgzbSA0gmlO9yOWOVGOR7IsIm8L4HvgJl25zOJWRBDSHYe8uTsCyfclx9oW_iZeQ3qtgczWXpg4OSIJqB3NiAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAACQN9QBRU3jT6bcBQLZNUj7MpWzBN_CNnDvk5B7KLIuFNmpFhsjxyNrRZ7uaQBysuOYD52BW1DC2Rp5zZbk3RPFsZu0QKJeaCDiXBBgy7YMVKIquSviPZZfMIw1HPfm0s6Sf0lMfdgA0muXF6YFxneaZCsDq53lm6qYIlzUNhv39buD6xuCgtFl6d1OC84T65eGPSPPPBTJGO4un5QCVByDM0wbwYtXXr68c08cbT2U_ucgQ4tffRT-OUxKKlvz6nR3NcwD-Irn2Kn3Ay6_IBf7IAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Ajcv9X5TAupIu9O6f-Jaazeh6BYDAQAAAJmjNtUOAAAAVCafUwEAACZpjbVDgAAAMDn2V0DAAAA46Y21Q4AAAA; expires=Wed, 13-Nov-2019 17:29:09 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=AQABAAAAAACQNQBRU3jT6bcBQLZNUj7rM2IjQVNxnrEqNXHtt2eNwsyLtgxftnSP3A1fpoRokG5weF27jPP4N4DTNZQI9-zxNnJXVD6jVR_FASWy6wvo-jYy0ddLCsC6upC3Y6n_YZSdCFixngM6Mnv3h4wAsPDbf6pzuUl7b0U8OoVe0zThFTTuQgprrs3XjHm9zEzlfAgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:29:09 GMT
Content-Length: 2650
失败
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: d8d44ea8-f12b-4f77-a25e-c1802adc7300
x-ms-ests-server: 2.1.9524.8 - CHI ProdSlices
x-ms-clitelem: 1,0,0,,
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: AADSSO=; expires=Sun, 13-Oct-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACN9QBRU3jT6bcBQLZNUj7Ng4kTNHEzlSGq4cyWxjUgjdQKPLQpDmPkulhBzsOCuvbmS0f1XHOHjqpDjRbTlT6r7VIjA0Gmsd6jlC2vcXMeifp2g1l5iUmaRS7sRA7XYoM1lRB6BB8sR1iNU8lL5G8Pff1qnDDe0O6Y5DE3yl_V02Cl_g_fifjTWGqG32JCUoXwknLW7gJi2k6GwVEq50rLqOYcSWpC72Q4bvtV1MY7CINWCUtpfse-gGcFYHmA67eGB8a4xwzvZnVfXdBHDvGuuqtDeXp1cprMCHYX9w3PAH1Ll7wVjZj4sUm0YWzm7G0gl9ngSqObM_vigH_KiXPsVoezhlBN_Xx0pkUpgbcTg2jCZ65xmSMkG_pegf28Zbyhpde-nqLB3_apx4_CJKr4BnJfklyRWvfZay5rtPJ70fpvP0KefPCyyE-liJxa47S6omJGr3IYZsmqlXQCGnYxgV7R2JFhdatTqiMuoKaTZGi_biglipMOKq0CIwBAOhQTlnAvO3TQInL2pKu96qbGo8f4wC6qzKnkGyPRenl66HZtZ1AAtkopLm-3AazYwYe_0Ex661018bmRQ439uy1p8otKT3ZnLaF2tjbAS5oXqCixevywawSsL-PhF69GYUgACAAQABQAQAA; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRUjT6bcBQLZNUj7OegOzQKPWPto8WclZJmDLwYNjiEsn4OirFaDPw1GEKee53a1iFcD3LuFzjBN3PXqHmju5Wsfusj3mNowv15IWyv5qVIsSxHYlA1ESmxtT-fZsiTpW7anVdEl43kycsgEDFYjROEA_OzMt5ZdnFIH1rv5h0v4SQCrPBrofk4YRZ8PnxC-L_hvgA3jr5-YVA13aRcZdzXqAj3idML1MuwlBmXpALitYwCHaMosawMXp3mvbGSS8ly0SuW5509E9MY3Vlk1ySPPgId3z0dfK6q0hq9rdUsr7d7AZyGkmDoxGT-zjNqbBGKw9SqN0q77NYpAZZuyqnJHgxcYAilPCBi208PZ6QKuwKKGHey3J3XwtRVaJ_uBU0Ksx3uZHYWWk2plqP3Agv2EJlwqhCkoWmNMGsN84GoijysmiWizFOWaeQHcnEnBDzm9dON2eqrdTdWFUZNc7SIoLp4vhTGS7hHhSDVatAiIZX_46bVFkxGAXty6ZEOLnth2q8zQ4SbSBuccv1l2oFLKmqli2hnE5CHUuAcXazhhXSCasCFRZRrAkscqIi7mcZ2YRMiEaYZn6H092LPji0leYDNCCasKLQ-Xt1N-oJ1_aVETetoAE5_KmSoi9RV3v4rWtXOAAGvEUcfdFCAof0yRocLmjatN4HV2aa6NnDTs8hPdO61u_WsJkBjuDh8nM5B4JljqxwC4WeoQdL5G6Mq10qI6FYKqVsVwkJEyKWU01v7n_xqBFUwDoDogACAAQACwAQAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: ESTSAUTHLIGHT=+d098c80-efb8-4b0f-9ef3-eb50f58728f9; path=/; secure; SameSite=None
Set-Cookie: ch=M9_iBKa5h4GB9fhFhfjvoUmR0yjMYMpfKah1_rdomE; domain=.login.microsoftonline.com; expires=Sun, 12-Jan-2020 17:30:47 GMT; path=/; secure; SameSite=None
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: buid=AQABAAEAAAQN9QBRU3jT6bcBQLZNUj74Z7ZEQzlF4uGSSwnUP9-Ja0eqL75M-YOBzwUWC_4Lu7A6LaJn0TBLvvMwdpkJbFLAIIGzUo8eMCLp0vXHNvrALsBRbAa1gwh7KB-M9BN-gD6nJjpKUk3tHqvFtg7c0vK6eNo4qY7r1dwIg__VOiz6aD_AN1FvNYDh-wONdgBOfLnEllftJJEZnXSwpJ6YuNGFVDZ3d4vCjAhR5Ph7IueNj783JtQEdNXVBERuIk7h6mwRqPy3lzkMhuZvtaG2359Jk93zIGAUVNb56ibCASbsCAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: SignInStateCookie=CAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7g4TAdyzUlSo2ftZ1xNmrElg_4b6mDzvn_1n-8TExkhRaPr1e8skwnPVUggSoNHxL6SQsKWCa5j_E67GlrtdtB1qlEEKpPr-fgpGAjXSYt7lC6Qxms29L-q7kBEoD--ldp0MNTtuSbqyMqSWdzrfeMskcJx-D_GwYFVT46CGOtw4ScySBxVBWJ8JGuQJcAT6i1tuHzZO2TlOLliw_H7dOuYeiKGq2CbwTcMKFPydTuBSbTlfmRdIjQ3gBHmxTQ9qIAA; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Au_FFTZRMRlAl59trPoUI0iyECHoAgAAHynNtUOAAAAwOfZXQIAAACHpzbVDgAAAA; expires=Wed, 13-Nov-2019 17:30:47 GMT; path=/; secure; HttpOnly; SameSite=None
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: x-ms-gateway-slice=prod; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
Date: Mon, 14 Oct 2019 17:30:46 GMT
Content-Length: 2522
Asp.net OpenID Connect (OIDC) 中间件使用 nonce cookie 来防止安全重放攻击。如错误所述,当应用程序在经过身份验证的请求中没有看到 nonce cookie 时,它会抛出上述异常。 Cookie 是基于域的,因此一旦为特定域设置了它们,只要它们仍然有效,对该域的所有后续请求都将包含这些 cookie。
因此,请确保网络浏览器控件和网络浏览器身份验证域相同。
这里的解决方法是redirect the request back to the same domain原先认证后使用。要控制 Azure AD 将经过身份验证的请求发送回应用程序的位置,请在下面的 ConfigureAuth 方法中设置 OpenIdConnectAuthentications.RedirectUri 属性。
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://www.contonso.com"
});
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
}
似乎 winform 的网络浏览器控件正在操纵请求中的 SameSite cookie。
我错误地配置了服务器以实施 SameSite=strict,这阻止了现代浏览器中的任何 OpenID 身份验证。因为winform的web browser control不包含这个cookie我才能够成功登录。
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
<conditions>
</conditions>
</rule>