当用户的 AD 身份验证失败时如何导航到自定义访问被拒绝页面(.net 3.1 核心与 OpenIDConnect Azure AD 身份验证)

Posted

技术标签:

【中文标题】当用户的 AD 身份验证失败时如何导航到自定义访问被拒绝页面(.net 3.1 核心与 OpenIDConnect Azure AD 身份验证)【英文标题】:How to Navigate to Custom Access Denied Page when AD Authentication failed for user (.net 3.1 core with OpenIDConnect Azure AD Authentication) 【发布时间】:2020-12-23 01:52:16 【问题描述】:

我有一个 .Net core 3.1 Web 应用程序,通过在 Azure 中设置应用服务注册并分配用户来实现 AD 身份验证。现在,当未经授权的用户尝试访问应用程序时,AD 身份验证失败并进入 OPENIDConnect 异常页面。但我只需要在我的应用程序中将用户导航到自定义页面 AccessDenied 页面。

预期:当用户未通过身份验证时。他应该导航到 /Home/AccessDeined Page。

实际: 例外页面: Signin-Oidc Exception Page

Startup.cs

    public void ConfigureServices(IServiceCollection services)
    
        services.Configure<CookiePolicyOptions>(options =>
        
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;                 
        );

       

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
        
            options.Authority = options.Authority + "/v2.0/";
            options.TokenValidationParameters.ValidateIssuer = false;
            //options.AccessDeniedPath = new PathString("/Home/AccessDenied");
            options.ResponseType = "id_token code";
            options.Events.OnAuthenticationFailed = context =>
            

                context.Response.Redirect("/Home/AccessDenied");
                context.HandleResponse();

                return Task.FromResult(0);
            ;                
        );

        services.AddControllersWithViews();
        services.AddHttpClient();


        services.AddSession();
        //services.Configure<CookieTempDataProviderOptions>(options =>
        //
        //    options.Cookie.IsEssential = true;
        //);

        services.AddMvc(options =>
        
            var policy = new AuthorizationPolicyBuilder()
                            .RequireAuthenticatedUser()
                            .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        );           

        services.AddLogging();
        services.AddProgressiveWebApp();
    

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
    
        if (env.IsDevelopment())
        
            app.UseDeveloperExceptionPage();
        
        else
        
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        
        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();
        app.UseSession();
        app.UseEndpoints(endpoints =>
        
            endpoints.MapRazorPages();
            endpoints.MapControllers();
           

            endpoints.MapControllerRoute(
                name: "default",
                pattern: "controller=Home/action=Index/id?");
        );
    

Appsettings.Json

"AzureAd": 
"Instance": "https://login.microsoftonline.com/",
"Domain": "XXXXXXXXX",
"TenantId": "XXXXXXXXXXXXXXXXXXXXX",
"ClientId": "XXXXXXXXXXXXXXXXXXXXXX",
"ClientSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"CallbackPath": "/signin-oidc"

,

HomeController.cs

[AllowAnonymous]
    public IActionResult AccessDenied()
    
        return View();
    

【问题讨论】:

【参考方案1】:

Startups.cs 中指定CookieAuthenticationOptions 的路径将起作用。请使用以下代码并在 PathString 中定义您的路径

services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options => 
    options.AccessDeniedPath = new PathString("/Home/CustomAccessDenied");
);

【讨论】:

以上是关于当用户的 AD 身份验证失败时如何导航到自定义访问被拒绝页面(.net 3.1 核心与 OpenIDConnect Azure AD 身份验证)的主要内容,如果未能解决你的问题,请参考以下文章

Azure AD:50155 设备身份验证失败

如果匿名用户无权访问 URL,如何将他们重定向到自定义页面而不是登录页面?

将 FirebaseUser 映射到自定义用户对象

如何配置 Azure AD 访问令牌的过期时间(使用 ADAL)?

使用 Azure AD 承载令牌时身份验证失败,返回容器列表 [Azure Blob] [Azure AD OAuth 2.0] [REST API]

Blazor 使用 Azure AD 身份验证允许匿名访问