如何解决来自RemoteAuthentication的错误:OpenIdConnectAuthenticationHandler:message.State为null或为空
来自RemoteAuthentication的错误:OpenIdConnectAuthenticationHandler:message.State为null或为空 ..即使成功获取代码,id_token和令牌后,也是如此。
我正在将Razor页面与.netcore一起使用,并且已在startup.cs中注册了所需的中间件,您将在下面找到它。
配置服务功能
public void ConfigureServices(IServiceCollection services)
{
RegisterRazorPages(services);
RegisterCoreServices(services);
RegisterDataServices(services);
RegisterVersioningServices(services);
RegisterAntiforegery(services);
}
private void RegisterCoreServices(IServiceCollection services)
{
services.AddSingleton(Configuration);
services.AddControllers(opts =>
{
opts.ModelBinderProviders.Insert(0,new DateTimeModelBinderProvider());
opts.RequireHttpsPermanent = true;
})
.AddNewtonsoftJson(opts =>
{
opts.SerializerSettings.DateFormatString = "yyyyMMdd";
opts.SerializerSettings.DateTimeZoneHandling = DateTimeZoneHandling.Utc;
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
// Add authentication services
services.AddAuthentication(options => {
//options.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
//options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme,options =>
{
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.Cookie.IsEssential = true;
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme,options => {
//options.SignInScheme = "Cookies";
// Set the authority to your Auth0 domain
options.Authority = $"https://{Configuration["OpenIdConnect:Domain"]}";
options.RequireHttpsMetadata = true;
options.MetadataAddress = $"https://{Configuration["OpenIdConnect:Domain"]}/.well-known/openid-configuration";
options.UseTokenLifetime = true;
// Configure the Auth0 Client ID and Client Secret
options.ClientId = Configuration["OpenIdConnect:ClientId"];
options.ClientSecret = Configuration["OpenIdConnect:ClientSecret"];
// Set response type to code
options.ResponseType = OpenIdConnectResponseType.CodeIdTokenToken;
options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;
options.GetClaimsFromUserInfoEndpoint = true;
options.UsePkce = true;
// Configure the scope
options.Scope.Clear();
options.Scope.Add("openid");
//options.Scope.Add("profile");
options.Scope.Add("siam");
options.SecurityTokenValidator = new JwtSecurityTokenHandler
{
// Disable the built-in JWT claims mapping feature.
InboundClaimTypeMap = new Dictionary<string,string>()
};
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
// Set the callback path,so Auth0 will call back to http://localhost:3000/callback
// Also ensure that you have added the URL as an Allowed Callback URL in your Auth0 dashboard
options.CallbackPath = new PathString("/Default");
// Configure the Claims Issuer to be Auth0
options.ClaimsIssuer = OpenIdConnectDefaults.AuthenticationScheme;
options.SaveTokens = true;
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("audience","http://localhost:3000/");
return Task.FromResult(0);
},// handle the logout redirection
OnRedirectToIdentityProviderForSignOut = (context) =>
{
var logoutUri = $"https://{Configuration["Siam:Domain"]}/v2/logout?client_id={Configuration["Siam:ClientId"]}";
var postLogoutUri = context.Properties.RedirectUri;
if (!string.IsNullOrEmpty(postLogoutUri))
{
if (postLogoutUri.StartsWith("/"))
{
// transform to absolute
var request = context.Request;
postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
}
logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
}
context.Response.Redirect(logoutUri);
context.HandleResponse();
return Task.CompletedTask;
}
};
});
services.AddAuthorization();
services.AddHttpClient();
services.AddHealthChecks()
.AddCheck<AuthEndpointCheck>("auth_endpoint_check")
.AddCheck<DbHealthCheck>("db_health_check");
}
配置功能
public void Configure(IApplicationBuilder app,IWebHostEnvironment env,IApiVersionDescriptionProvider apiVersionDescriptionProvider)
{
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
RequireHeaderSymmetry = false,ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseErrorHandlingMiddleware();
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
//app.UseCookiePolicy(new CookiePolicyOptions()
//{
// HttpOnly = HttpOnlyPolicy.Always,// Secure = CookieSecurePolicy.Always,// MinimumSameSitePolicy = SameSiteMode.Strict
//});
app.UseRouting();
// keep both between UseRouting() and UseEndpoints()
app.UseAuthentication();
app.UseAuthorization();
app.UseHttpMetrics(options =>
{
options.RequestDuration.Histogram = Metrics.CreateHistogram("CCR_http_request_duration_seconds",string.Empty,new HistogramConfiguration
{
Buckets = Histogram.LinearBuckets(
start: Convert.ToDouble(Configuration["Prometheus:Start"]),width: Convert.ToDouble(Configuration["Prometheus:Width"]),count: Convert.ToInt32(Configuration["Prometheus:Count"])),LabelNames = new[] { "code","method" }
});
});
app.UseMetricServer();
app.UseSitHealthChecks();
app.UseSwagger();
app.UseSwaggerUI(opts =>
{
// build a swagger endpoint for each discovered API version
foreach (var description in apiVersionDescriptionProvider.ApiVersionDescriptions)
{
opts.SwaggerEndpoint($"/swagger/{description.GroupName}/swagger.json",description.GroupName.ToUpperInvariant());
}
opts.RoutePrefix = string.Empty;
});
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers().RequireAuthorization();
endpoints.MapHealthChecks("/hc",new HealthCheckOptions() { }).RequireAuthorization();
endpoints.MapMetrics().RequireAuthorization();
endpoints.MapRazorPages();
});
IdentityModelEventSource.ShowPII = true;
}
问题描述 在startup.cs文件中,我已将回调URL设置为受保护的主页。声明应用程序后,它将对oauth进行挑战,这是indexPage的质询代码。完成此挑战后,该页面应重定向到默认页面,该页面是应用程序的主页,并受到保护。
public async Task OnGetAsync()
{
if (User.Identity.IsAuthenticated)
{
string accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
// if you need to check the Access Token expiration time,use this value
// provided on the authorization response and stored.
// do not attempt to inspect/decode the access token
DateTime accessTokenExpiresAt = DateTime.Parse(
await HttpContext.GetTokenAsync("expires_at"),CultureInfo.InvariantCulture,DateTimeStyles.RoundtripKind);
string idToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.IdToken);
}
else
{
string accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
string returnUrl = "/Default";
await HttpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme,new AuthenticationProperties() { RedirectUri = returnUrl });
//Challenge(OpenIdConnectDefaults.AuthenticationScheme);
}
}
,并在响应中从浏览器中生成了以下输出。
在第4次通话中,我得到了id_token,令牌和代码作为响应,并且在该应用重定向到第5次通话中提到的/ Default路由之后,在第6次通话中又出现了一些我不理解的重定向occus。
在第6个通话中,我失去了所有参数,并且我不再有cookie。然后,日志显示以下异常。
2020-08-17 14:38:11.337 +02:00 [INF] Error from RemoteAuthentication: OpenIdConnectAuthenticationHandler: message.State is null or empty..
2020-08-17 14:38:11.381 +02:00 [ERR] An error was encountered while handling the remote login.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at SIT.WebApi.Infrastructure.Middleware.ErrorHandlingMiddleware.Invoke(HttpContext context)
2020-08-17 14:38:11.397 +02:00 [INF] Request finished in 62.128ms 500 application/json
问题
- 为什么我的服务器自动运行时,我需要提供 callback 网址
在点击
后重定向和验证用户 授权端点。服务器正在使用kerberos Windows
身份验证。 - startup.cs中的回调 url和索引页中的 redirect url有什么区别。
- 如果我没有提到回调URL,默认情况下,我的应用将重定向到 / signin-oidc 路由,为什么?
- 我应该如何克服这个错误?
- 获取令牌,代码和id_token等后,如何将用户信息存储到HttpContext.User中。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。