AddOpenIdConnect options.Authority 被代理后面的当前主机覆盖 (UseForwardedHeaders)
AddOpenIdConnect options.Authority overriden with current host behind proxy (UseForwardedHeaders)
我在容器内的反向代理后面托管我的应用程序。我正在使用 IdentityServer4,我正在尝试使用 Azure AD 进行 oidc SSO。它在应用程序未使用 app.UseForwardedHeaders(opts) 时有效,但我需要它们。
.NET核心版本:3.1
转发headers个配置:
var opts = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost
};
opts.KnownProxies.Add(ipAddress);
app.UseForwardedHeaders(opts);
OpenID 连接配置:
services.AddAuthentication( options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
)
.AddOpenIdConnect("aadrm", "Azure AD", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://login.microsoftonline.com/{tenantID...}/v2.0";
options.ClientId = ".....";
options.ClientSecret = @"........";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
});
我的控制器操作:
[HttpGet]
public IActionResult ExternalLoginChallenge(string provider, string returnUrl)
{
var callbackUrl = Url.Action(nameof(ExternalLoginCallback));
var props = new AuthenticationProperties
{
RedirectUri = callbackUrl,
Items =
{
{ "scheme", provider },
{ "returnUrl", returnUrl }
}
};
return Challenge(props, provider);
}
当我启动登录过程时,它应该将我重定向到 Microsoft 的登录页面,但它却将我重定向回我的主机 url: https://mylocalapp.com:443/{tenantId}/oauth2/v2.0/authorize?client_id=...&redirect_uri=HTTPS%3A%2F%2Fmylocalapp.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=........&state=............&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.8.0.0
当我删除 app.UseForwardedHeaders(opts) 时它正常工作(将我重定向到 MS 登录页面)。似乎 UseForwardedHeaders 覆盖了 OpenIdConnect 授权地址主机。
你能帮我吗,我不明白为什么它会将我重定向回我的主机?
谢谢。
我在容器内的反向代理后面托管我的应用程序。我正在使用 IdentityServer4,我正在尝试使用 Azure AD 进行 oidc SSO。它在应用程序未使用 app.UseForwardedHeaders(opts) 时有效,但我需要它们。
.NET核心版本:3.1
转发headers个配置:
var opts = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost
};
opts.KnownProxies.Add(ipAddress);
app.UseForwardedHeaders(opts);
OpenID 连接配置:
services.AddAuthentication( options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
)
.AddOpenIdConnect("aadrm", "Azure AD", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://login.microsoftonline.com/{tenantID...}/v2.0";
options.ClientId = ".....";
options.ClientSecret = @"........";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
});
我的控制器操作:
[HttpGet]
public IActionResult ExternalLoginChallenge(string provider, string returnUrl)
{
var callbackUrl = Url.Action(nameof(ExternalLoginCallback));
var props = new AuthenticationProperties
{
RedirectUri = callbackUrl,
Items =
{
{ "scheme", provider },
{ "returnUrl", returnUrl }
}
};
return Challenge(props, provider);
}
当我启动登录过程时,它应该将我重定向到 Microsoft 的登录页面,但它却将我重定向回我的主机 url: https://mylocalapp.com:443/{tenantId}/oauth2/v2.0/authorize?client_id=...&redirect_uri=HTTPS%3A%2F%2Fmylocalapp.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=........&state=............&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.8.0.0
当我删除 app.UseForwardedHeaders(opts) 时它正常工作(将我重定向到 MS 登录页面)。似乎 UseForwardedHeaders 覆盖了 OpenIdConnect 授权地址主机。
你能帮我吗,我不明白为什么它会将我重定向回我的主机?
谢谢。