ASP.NET Web APP 和 Web API 无限重定向循环中的 Azure AD Open ID Connect OAuth 2.0

Posted 2023-03-27

【中文标题】ASP.NET Web APP 和 Web API 无限重定向循环中的 Azure AD Open ID Connect OAuth 2.0

【英文标题】：Azure AD Open ID Connect OAuth 2.0 in ASP.NET Web APP and Web API Infinite redirect loop

【发布时间】：2020-07-08 13:14:17

【问题描述】：

用于从任何 Azure Active Directory (Azure AD) 实例登录个人帐户以及工作和学校帐户的 ASP.NET Web 应用程序。

OWIN 中间件 NuGet 包

Install-Package Microsoft.Owin.Security.OpenIdConnect
Install-Package Microsoft.Owin.Security.Cookies
Install-Package Microsoft.Owin.Host.SystemWeb

OWIN 创业班 OWIN 中间件使用在宿主进程初始化时运行的启动类。在本快速入门中，startup.cs 文件位于根文件夹中。以下代码显示了本快速入门使用的参数

public void Configuration(IAppBuilder app)

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions());
    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            Authority = authority,
            RedirectUri = redirectUri,
            // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            // ResponseType is set to request the id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.IdToken,
            // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
            // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
            // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
            TokenValidationParameters = new TokenValidationParameters()
            
                ValidateIssuer = false // Simplification (see note below)
            ,
            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            
                AuthenticationFailed = OnAuthenticationFailed
            
        
    );

ASP.NET MVC / Web API

//You can force a user to sign in by requesting an authentication challenge in your controller:
public void SignIn()

    if (!Request.IsAuthenticated)
    
        HttpContext.GetOwinContext().Authentication.Challenge(
            new AuthenticationProperties RedirectUri = "/" ,
            OpenIdConnectAuthenticationDefaults.AuthenticationType);
    

ASP.NET 网络表单：

 protected void Login_click(object sender, EventArgs e)
        
            if (!Request.IsAuthenticated)
            
                HttpContext.Current.GetOwinContext().Authentication.Challenge(
                    new AuthenticationProperties  RedirectUri = "/" ,
                    OpenIdConnectAuthenticationDefaults.AuthenticationType);
            
        

【参考方案1】：

该问题已在 ASP.NET 核心和新版本的 Katana Owin for ASP.NET 中得到修复。要解决此问题，您可以升级应用程序以使用 ASP.NET Core。如果您必须继续使用 ASP.NET，请执行以下操作：

将应用程序的 Microsoft.Owin.Host.SystemWeb 包更新为至少版本 3.1.0.0 和 修改您的代码以使用新的 cookie 管理器类之一，例如：

app.UseCookieAuthentication(new CookieAuthenticationOptions 
 
    AuthenticationType = "Cookies", 
    CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager() 
);