无法让 OpenID 身份验证与 Onelogin 和 Azure Web 应用程序一起使用

Posted 2023-02-19

【中文标题】无法让 OpenID 身份验证与 Onelogin 和 Azure Web 应用程序一起使用

【英文标题】：Can't get OpenID auth working with Onelogin and Azure web apps

【发布时间】：2021-10-30 11:46:51

【问题描述】：

Microsoft 支持 Openid 作为 Web 应用程序的身份验证提供程序。 https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect

使用 auth0 可以正常工作，但使用 onelogin 登录后，我通过浏览器收到错误消息“由于发生内部服务器错误，无法显示页面。”

这是我的配置

  "platform": 
    "enabled": true
  ,
  "globalValidation": 
    "requireAuthentication": true,
    "unauthenticatedClientAction": "RedirectToLoginPage",
    "redirectToProvider": "onelogin",
    "excludedPaths": []
  ,
  "identityProviders": 
    "openIdConnectProviders": 
      "onelogin": 
        "enabled": true,
        "registration": 
          "clientId": "2a55cc10-ec26-0139-d4f3-063fe3b18f59195700",
          "clientCredential": 
            "secretSettingName": "onelogin"
          ,
          "openIdConnectConfiguration": 
            "wellKnownOpenIdConfiguration": "https://snapcomms-dev.onelogin.com/oidc/2/.well-known/openid-configuration"
          
        ,
        "login": 
          "nameClaimType": "name",
          "scope": ["openid", "profile", "email"]
        
      
    ,
    "login": 
      "tokenStore": 
        "enabled": true
           ,
      "preserveUrlFragmentsForLogins": true
    ,
    "httpSettings": 
      "requireHttps": true
    
  

以及来自日志流的错误

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>IIS Detailed Error - 500.74 - Internal Server Error</title><style type="text/css"><!--bodymargin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;codemargin:0;color:#006600;font-size:1.1em;font-weight:bold;.config_source codefont-size:.8em;color:#000000;premargin:0;font-size:1.4em;word-wrap:break-word;ul,olmargin:10px 0 10px 5px;ul.first,ol.firstmargin-top:5px;fieldsetpadding:0 15px 10px 15px;word-break:break-all;.summary-container fieldsetpadding-bottom:5px;margin-top:4px;legend.no-expand-allpadding:2px 15px 4px 10px;margin:0 0 0 -12px;legendcolor:#333333;;margin:4px 0 8px -12px;_margin-top:0px;font-weight:bold;font-size:1em;a:link,a:visitedcolor:#007EFF;font-weight:bold;a:hovertext-decoration:none;h1font-size:2.4em;margin:0;color:#FFF;h2font-size:1.7em;margin:0;color:#CC0000;h3font-size:1.4em;margin:10px 0 0 0;color:#CC0000;h4font-size:1.2em;margin:10px 0 5px 0;#headerwidth:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;color:#FFF;background-color:#5C87B2;#contentmargin:0 0 0 2%;position:relative;.summary-container,.content-containerbackground:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;.content-container pmargin:0 0 10px 0;#details-leftwidth:35%;float:left;margin-right:2%;#details-rightwidth:63%;float:left;overflow:hidden;#server_versionwidth:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;font-size:1em;color:#FFF;text-align:right;#server_version pmargin:5px 0;tablemargin:4px 0 4px 0;width:100%;border:none;td,thvertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;thwidth:30%;text-align:right;padding-right:2%;font-weight:bold;thead thbackground-color:#ebebeb;width:25%;#details-right thwidth:20%;table tr.alt td,table tr.alt th.highlight-codecolor:#CC0000;font-weight:bold;font-style:italic;.clearclear:both;.preferredpadding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;--></style>
</head><body><div id="content"><div class="content-container"><h3>HTTP Error 500.74 - Internal Server Error</h3><h4>The page cannot be displayed because an internal server error has occurred.</h4></div><div class="content-container"><fieldset><h4>Most likely causes:</h4><ul>     <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li>    <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li>    <li>IIS was not able to process configuration for the Web site or application.</li>     <li>The authenticated user does not have permission to use this DLL.</li>   <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul></fieldset></div><div class="content-container"><fieldset><h4>Things you can try:</h4><ul>    <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li>     <li>Check the event logs to see if any additional information was logged.</li>  <li>Verify the permissions for the DLL.</li>    <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li>  <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul></fieldset></div>
<div class="content-container"><fieldset><h4>Detailed Error Information:</h4><div id="details-left"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;EasyAuthModule_32bit</td></tr><tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;BeginRequest</td></tr>
<tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;ExtensionlessUrlHandler-Integrated-4.0</td></tr><tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80004005</td></tr>
</table></div><div id="details-right"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;https://snapinf-admntlluke-test-use-as2:80/.auth/login/onelogin/callback?code=4ZZnAKFixx4BFYqh0CLBWkOsgZj&amp;state=%2F</td></tr><tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;C:\home\site\wwwroot\.auth\login\onelogin\callback</td></tr><tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr><tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr>
</table><div class="clear"></div></div></fieldset></div>
<div class="content-container"><fieldset><h4>More Information:</h4>This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=500,74,0x80004005,14393">View more information &raquo;</a></p><p>Microsoft Knowledge Base Articles:</p>
</fieldset></div></div></body></html>

这是 chrome 开发工具网络选项卡 https://drive.google.com/file/d/1HCWsQH0Npasr4hxvxX-ooeg6QJQbCVzm/view?usp=sharing 的输出

我需要设置一些登录设置才能使其正常工作吗？

【参考方案1】：

查看您的浏览器跟踪，我看到您正在使用授权代码授权并成功获取授权代码，所以我猜您可能在授权的第二部分遇到问题，您的服务器尝试交换令牌的验证码。检查 OneLogin 应用程序配置的第一件事是在应用程序连接器的 SSO 选项卡上找到的令牌端点身份验证方法。您的应用程序/服务器执行代码交换的方式将影响令牌端点身份验证方法应使用的设置。更多信息可以在这里找到：https://developers.onelogin.com/openid-connect/api/authorization-code-grant

【讨论】：

我将它从基本更改为发布，现在它可以工作了！ :-)