OpenIdConnectProtocolValidationContext.Nonce 在 Asp.Net Web 应用程序中使用 Okta 时为空

OpenIdConnectProtocolValidationContext.Nonce was null when using Okta in Asp.Net Web Application

我有一个 .Net Asp.Net Web 应用程序,我正在尝试使用 Okta 实现单点登录功能。我的所有代码都在工作并且 运行 除了当我使用 Google Chrome 80+ 登录时。当我登录到 Okta 并被回调到我的应用程序时,我收到以下错误.以下是我到目前为止尝试过的步骤。这适用于所有其他浏览器,但很可能由于 Chrome 80s SameSite cookie 属性更改而失败。

“/”应用程序中的服务器错误。

IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

异常详情:

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.

来源错误:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

堆栈跟踪:

[OpenIdConnectProtocolInvalidNonceException: IDX21323: RequireNonce is '[PII is hidden]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated.]
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext) +1374
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) +219
Microsoft.Owin.Security.OpenIdConnect.d__11.MoveNext() +3770 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +27

  1. 升级 .Net 版本到 4.7.2
  2. 已将 Microsoft.Owin 的 Nuget 包升级到 4.1
  3. 在启动时添加了 SameSite 配置
  4. 添加了 web.config 个值
  5. 添加了 CookieManager 代码

Startup.cs 配置() 代码

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);


app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
    CookieSameSite = SameSiteMode.None,
    CookieSecure = CookieSecureOption.Always,
    CookieHttpOnly = true,
    CookieManager = new Code.SameSiteCookieManager(new Microsoft.Owin.Host.SystemWeb.SystemWebCookieManager())
});

app.UseOktaMvc(new OktaMvcOptions()
{
    OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
    ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
    ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
    RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
    PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
    AuthorizationServerId = string.Empty,
    Scope = new List<string> { "openid", "profile", "email" },
});

Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator dd = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator();
dd.RequireNonce = false;


//Init ADM Kit and start logging.
Code.KitHelper.Init();

检查您是否仅在 Chrome 中遇到此问题。如果是这样,那是因为在版本 80 中推出了新的安全实现。

如果启用,没有 SameSite 限制的 cookie 也必须是安全的。如果设置了没有 SameSite 限制的 cookie 而没有 Secure 属性,它将被拒绝。此标志仅在“SameSite by default cookies”也启用时才有效。 – Mac, Windows, Linux, Chrome OS, Android

但是您可以在 chrome://flags 中禁用它,但它现在默认启用

#cookies-without-same-site-must-be-secure

将此设置为 disabled.This 后,您必须重新启动 chrome 解决了我的问题并解释了为什么在生产中每件事都按预期工作但在本地我遇到随机数错误。

我想补充一点,您可以检查您的项目或环境(如负载均衡器)中是否存在通过 http 而不是 https 进行通信的配置。

相关话题:https://github.com/okta/okta-aspnet/issues/131