无法让 OpenID 身份验证与 Onelogin 和 Azure Web 应用程序一起使用
Can't get OpenID auth working with Onelogin and Azure web apps
Microsoft 支持将 Openid 作为 Web 应用程序的身份验证提供程序。
https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect
这适用于 auth0,但适用于 onelogin,登录后我通过浏览器收到错误消息“无法显示页面,因为发生了内部服务器错误。”
这是我的配置
{
"platform": {
"enabled": true
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"redirectToProvider": "onelogin",
"excludedPaths": []
},
"identityProviders": {
"openIdConnectProviders": {
"onelogin": {
"enabled": true,
"registration": {
"clientId": "2a55cc10-ec26-0139-d4f3-063fe3b18f59195700",
"clientCredential": {
"secretSettingName": "onelogin"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://snapcomms-dev.onelogin.com/oidc/2/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "name",
"scope": ["openid", "profile", "email"]
}
}
},
"login": {
"tokenStore": {
"enabled": true
},
"preserveUrlFragmentsForLogins": true
},
"httpSettings": {
"requireHttps": true
}
}
}
以及来自日志流的错误
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IIS Detailed Error - 500.74 - Internal Server Error</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;}code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}.config_source code{font-size:.8em;color:#000000;}pre{margin:0;font-size:1.4em;word-wrap:break-word;}ul,ol{margin:10px 0 10px 5px;}ul.first,ol.first{margin-top:5px;}fieldset{padding:0 15px 10px 15px;word-break:break-all;}.summary-container fieldset{padding-bottom:5px;margin-top:4px;}legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px;font-weight:bold;font-size:1em;}a:link,a:visited{color:#007EFF;font-weight:bold;}a:hover{text-decoration:none;}h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;}h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}h4{font-size:1.2em;margin:10px 0 5px 0;}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;color:#FFF;background-color:#5C87B2;}#content{margin:0 0 0 2%;position:relative;}.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}.content-container p{margin:0 0 10px 0;}#details-left{width:35%;float:left;margin-right:2%;}#details-right{width:63%;float:left;overflow:hidden;}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;font-size:1em;color:#FFF;text-align:right;}#server_version p{margin:5px 0;}table{margin:4px 0 4px 0;width:100%;border:none;}td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;}th{width:30%;text-align:right;padding-right:2%;font-weight:bold;}thead th{background-color:#ebebeb;width:25%;}#details-right th{width:20%;}table tr.alt td,table tr.alt th{}.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;}.clear{clear:both;}.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;}--></style>
</head><body><div id="content"><div class="content-container"><h3>HTTP Error 500.74 - Internal Server Error</h3><h4>The page cannot be displayed because an internal server error has occurred.</h4></div><div class="content-container"><fieldset><h4>Most likely causes:</h4><ul> <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li> <li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user does not have permission to use this DLL.</li> <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul></fieldset></div><div class="content-container"><fieldset><h4>Things you can try:</h4><ul> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li> <li>Verify the permissions for the DLL.</li> <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul></fieldset></div>
<div class="content-container"><fieldset><h4>Detailed Error Information:</h4><div id="details-left"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Module</th><td> EasyAuthModule_32bit</td></tr><tr><th>Notification</th><td> BeginRequest</td></tr>
<tr class="alt"><th>Handler</th><td> ExtensionlessUrlHandler-Integrated-4.0</td></tr><tr><th>Error Code</th><td> 0x80004005</td></tr>
</table></div><div id="details-right"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Requested URL</th><td> https://snapinf-admntlluke-test-use-as2:80/.auth/login/onelogin/callback?code=4ZZnAKFixx4BFYqh0CLBWkOsgZj&state=%2F</td></tr><tr><th>Physical Path</th><td> C:\home\site\wwwroot\.auth\login\onelogin\callback</td></tr><tr class="alt"><th>Logon Method</th><td> Not yet determined</td></tr><tr><th>Logon User</th><td> Not yet determined</td></tr>
</table><div class="clear"></div></div></fieldset></div>
<div class="content-container"><fieldset><h4>More Information:</h4>This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=500,74,0x80004005,14393">View more information »</a></p><p>Microsoft Knowledge Base Articles:</p>
</fieldset></div></div></body></html>
这是 chrome 开发工具网络选项卡的输出 https://drive.google.com/file/d/1HCWsQH0Npasr4hxvxX-ooeg6QJQbCVzm/view?usp=sharing
是否需要设置一些 onelogin 设置才能使其正常工作?
查看您的浏览器跟踪,我发现您正在使用授权代码授予并成功获取授权代码,所以我猜您可能 运行 陷入授权第二部分的问题您的服务器尝试交换令牌的授权代码的位置。检查 OneLogin 应用程序配置的第一件事是在应用程序连接器的 SSO 选项卡上找到令牌端点身份验证方法。您的 app/server 执行代码交换的方式将影响令牌端点身份验证方法应使用的设置。可以在此处找到更多信息:https://developers.onelogin.com/openid-connect/api/authorization-code-grant
Microsoft 支持将 Openid 作为 Web 应用程序的身份验证提供程序。 https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect
这适用于 auth0,但适用于 onelogin,登录后我通过浏览器收到错误消息“无法显示页面,因为发生了内部服务器错误。”
这是我的配置
{
"platform": {
"enabled": true
},
"globalValidation": {
"requireAuthentication": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"redirectToProvider": "onelogin",
"excludedPaths": []
},
"identityProviders": {
"openIdConnectProviders": {
"onelogin": {
"enabled": true,
"registration": {
"clientId": "2a55cc10-ec26-0139-d4f3-063fe3b18f59195700",
"clientCredential": {
"secretSettingName": "onelogin"
},
"openIdConnectConfiguration": {
"wellKnownOpenIdConfiguration": "https://snapcomms-dev.onelogin.com/oidc/2/.well-known/openid-configuration"
}
},
"login": {
"nameClaimType": "name",
"scope": ["openid", "profile", "email"]
}
}
},
"login": {
"tokenStore": {
"enabled": true
},
"preserveUrlFragmentsForLogins": true
},
"httpSettings": {
"requireHttps": true
}
}
}
以及来自日志流的错误
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IIS Detailed Error - 500.74 - Internal Server Error</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;}code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}.config_source code{font-size:.8em;color:#000000;}pre{margin:0;font-size:1.4em;word-wrap:break-word;}ul,ol{margin:10px 0 10px 5px;}ul.first,ol.first{margin-top:5px;}fieldset{padding:0 15px 10px 15px;word-break:break-all;}.summary-container fieldset{padding-bottom:5px;margin-top:4px;}legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px;font-weight:bold;font-size:1em;}a:link,a:visited{color:#007EFF;font-weight:bold;}a:hover{text-decoration:none;}h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;}h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}h4{font-size:1.2em;margin:10px 0 5px 0;}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;color:#FFF;background-color:#5C87B2;}#content{margin:0 0 0 2%;position:relative;}.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}.content-container p{margin:0 0 10px 0;}#details-left{width:35%;float:left;margin-right:2%;}#details-right{width:63%;float:left;overflow:hidden;}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;font-size:1em;color:#FFF;text-align:right;}#server_version p{margin:5px 0;}table{margin:4px 0 4px 0;width:100%;border:none;}td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;}th{width:30%;text-align:right;padding-right:2%;font-weight:bold;}thead th{background-color:#ebebeb;width:25%;}#details-right th{width:20%;}table tr.alt td,table tr.alt th{}.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;}.clear{clear:both;}.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;}--></style>
</head><body><div id="content"><div class="content-container"><h3>HTTP Error 500.74 - Internal Server Error</h3><h4>The page cannot be displayed because an internal server error has occurred.</h4></div><div class="content-container"><fieldset><h4>Most likely causes:</h4><ul> <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li> <li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user does not have permission to use this DLL.</li> <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul></fieldset></div><div class="content-container"><fieldset><h4>Things you can try:</h4><ul> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li> <li>Verify the permissions for the DLL.</li> <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul></fieldset></div>
<div class="content-container"><fieldset><h4>Detailed Error Information:</h4><div id="details-left"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Module</th><td> EasyAuthModule_32bit</td></tr><tr><th>Notification</th><td> BeginRequest</td></tr>
<tr class="alt"><th>Handler</th><td> ExtensionlessUrlHandler-Integrated-4.0</td></tr><tr><th>Error Code</th><td> 0x80004005</td></tr>
</table></div><div id="details-right"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Requested URL</th><td> https://snapinf-admntlluke-test-use-as2:80/.auth/login/onelogin/callback?code=4ZZnAKFixx4BFYqh0CLBWkOsgZj&state=%2F</td></tr><tr><th>Physical Path</th><td> C:\home\site\wwwroot\.auth\login\onelogin\callback</td></tr><tr class="alt"><th>Logon Method</th><td> Not yet determined</td></tr><tr><th>Logon User</th><td> Not yet determined</td></tr>
</table><div class="clear"></div></div></fieldset></div>
<div class="content-container"><fieldset><h4>More Information:</h4>This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=500,74,0x80004005,14393">View more information »</a></p><p>Microsoft Knowledge Base Articles:</p>
</fieldset></div></div></body></html>
这是 chrome 开发工具网络选项卡的输出 https://drive.google.com/file/d/1HCWsQH0Npasr4hxvxX-ooeg6QJQbCVzm/view?usp=sharing
是否需要设置一些 onelogin 设置才能使其正常工作?
查看您的浏览器跟踪,我发现您正在使用授权代码授予并成功获取授权代码,所以我猜您可能 运行 陷入授权第二部分的问题您的服务器尝试交换令牌的授权代码的位置。检查 OneLogin 应用程序配置的第一件事是在应用程序连接器的 SSO 选项卡上找到令牌端点身份验证方法。您的 app/server 执行代码交换的方式将影响令牌端点身份验证方法应使用的设置。可以在此处找到更多信息:https://developers.onelogin.com/openid-connect/api/authorization-code-grant