Asp.net core 在azure kubernetes服务中运行aspnet core 3.1 MVC应用程序,并在azure应用程序网关后面使用oidc身份验证和Identity Server 4
我正在azure的kubernetes服务中运行一个aspnet core 3.1 MVC应用程序。AKS位于应用程序网关后面。Azure Application Gateway入口控制器pod正在AKS中运行,我的部署、服务和入口配置如下所示:Asp.net core 在azure kubernetes服务中运行aspnet core 3.1 MVC应用程序,并在azure应用程序网关后面使用oidc身份验证和Identity Server 4,asp.net-core,identityserver4,openid-connect,api-gateway,azure-aks,Asp.net Core,Identityserver4,Openid Connect,Api Gateway,Azure Aks,我正在azure的kubernetes服务中运行一个aspnet core 3.1 MVC应用程序。AKS位于应用程序网关后面。Azure Application Gateway入口控制器pod正在AKS中运行,我的部署、服务和入口配置如下所示: apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: null name: imagename namespace: namespacename spec:
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: imagename
namespace: namespacename
spec:
replicas: 1
selector:
matchLabels:
app: imagename
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: imagename
spec:
containers:
- name: imagename
image: acrname.azurecr.io/imagename:latest
imagePullPolicy: Always
ports:
- containerPort: 80
name: http
readinessProbe:
httpGet:
path: /probes
port: 80
periodSeconds: 30
timeoutSeconds: 3
env:
- name: ASPNETCORE_ENVIRONMENT
value: "dev"
resources:
requests:
cpu: 150m
memory: 128Mi
limits:
cpu: 500m
memory: 500Mi
status: {}
---
apiVersion: v1
kind: Service
metadata:
name: imagename
namespace: namespacename
spec:
selector:
app: imagename
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: imagename
namespace: namespacename
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/backend-path-prefix: "/"
appgw.ingress.kubernetes.io/appgw-ssl-certificate: certificatename
appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
- host: exampledomain.com.br
http:
paths:
- path: /pathapp/*
backend:
serviceName: imagename
servicePort: 80
身份服务器pod已经在AKS中运行,身份验证过程对于承载方案工作正常
对于Cookies方案,应用程序可以通过identity server通过azure AD进行身份验证,但在应用程序pod处的重定向/signin oidc端点上,我遇到了404错误。应用程序的pod日志显示:
执行请求时发生未经处理的异常。
System.Exception:处理远程登录时遇到错误。
--->系统异常:关联失败。
---内部异常堆栈跟踪的结束---
中的说明已在应用程序中实现
重定向至/登录oidc in应用程序的pod的完整过程如下图所示:
这是我的创业课程:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuracao = configuration;
}
public IConfiguration Configuracao { get; }
public void ConfigureServices(IServiceCollection servicos)
{
servicos.AddApplicationInsightsTelemetry(Configuracao.GetValue<string>("ApplicationInsights:InstrumentationKey"));
//servicos.AddAICustomizado(Configuracao);
servicos.AddControllersWithViews();
servicos.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
});
servicos.AddRazorPages().AddRazorRuntimeCompilation();
//servicos.AddMvcCustomizado();
servicos.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ResponseType = OpenIdConnectResponseType.Code;
options.Authority = Configuracao.GetValue<string>("Autenticacao:IdentityServer:UrlBase");
options.ClientId = "clientimplicit";
options.ResponseType = "id_token token";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("Scope2");
options.Scope.Add("Scope3");
options.UseTokenLifetime = true;
options.RequireHttpsMetadata = false;
options.Events.OnRedirectToIdentityProvider = async n =>
{
n.ProtocolMessage.RedirectUri = $"{Configuracao.GetValue<string>("Autenticacao:RedirectUri:UrlBase")}signin-oidc";
await Task.FromResult(0);
};
options.Events.OnRedirectToIdentityProviderForSignOut = async n =>
{
n.ProtocolMessage.PostLogoutRedirectUri = $"{Configuracao.GetValue<string>("Autenticacao:RedirectUri:UrlBase")}signout-callback-oidc";
await Task.FromResult(0);
};
});
servicos.AddAuthorization();
//servicos.AddAutenticacaoCustomizada(Configuracao);
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next();
});
app.UseForwardedHeaders();
if (env.EnvironmentName.Equals("prd", System.StringComparison.CurrentCultureIgnoreCase))
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAutenticacaoCustomizada();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=cliente}/{action=index}/");
});
//app.UseMvcCustomizado(env);
}
}
公共类启动
{
公共启动(IConfiguration配置)
{
配置=配置;
}
公共IConfiguration配置{get;}
公共无效配置服务(IServiceCollection服务)
{
servicicos.AddApplicationInsightsTelemetry(Configuracao.GetValue(“ApplicationInsights:InstrumentationKey”);
//服务公司AddAICustomizado(配置);
servicicos.addcontrollerswithview();
servicos.Configure(选项=>
{
options.ForwardedHeaders=ForwardedHeaders.XForwardedFor|
ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
});
servicos.AddRazorPages().AddRazorRuntimeCompilation();
//servicos.AddMvcCustomizado();
servicos.AddAuthentication(选项=>
{
options.DefaultScheme=CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme,选项=>
{
options.signnscheme=CookieAuthenticationDefaults.AuthenticationScheme;
options.ResponseType=OpenIdConnectResponseType.Code;
options.Authority=Configuracao.GetValue(“Autenticacao:IdentityServer:UrlBase”);
options.ClientId=“clientimplicit”;
options.ResponseType=“id\u令牌”;
options.SaveTokens=true;
options.Scope.Clear();
options.Scope.Add(“openid”);
选项。范围。添加(“范围2”);
选项。范围。添加(“范围3”);
options.UseTokenLifetime=true;
options.RequireHttpsMetadata=false;
options.Events.OnRedirectToIdentityProvider=异步n=>
{
n、 ProtocolMessage.RedirectUri=$“{Configuracao.GetValue(“Autenticacao:RedirectUri:UrlBase”)}符号oidc”;
等待任务。从结果(0);
};
options.Events.OnRedirectToIdentityProviderForSignOut=async n=>
{
n、 ProtocolMessage.PostLogoutRedirectUri=$“{Configuracao.GetValue(“Autenticacao:RedirectUri:UrlBase”)}签出回调oidc”;
等待任务。从结果(0);
};
});
servicos.AddAuthorization();
//服兵役;服兵役;服兵役;
}
public void配置(IApplicationBuilder应用程序、IWebHostEnvironment环境)
{
应用程序使用((上下文,下一步)=>
{
context.Request.Scheme=“https”;
返回next();
});
app.UseForwardedHeaders();
if(env.EnvironmentName.Equals(“prd”,System.StringComparison.CurrentCultureIgnoreCase))
{
app.UseDeveloperExceptionPage();
}
其他的
{
app.UseExceptionHandler(“/Home/Error”);
app.UseHsts();
}
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.useautenticacocustomizada();
app.UseEndpoints(端点=>
{
endpoints.MapControllerRoute(
名称:“默认”,
模式:“{controller=cliente}/{action=index}/”;
});
//附录USEMVCUSTOMIZADO(环境);
}
}
有人能帮我解决相关失败的错误吗?所以,经过一些努力,我终于找到了解决方案 整个问题都和绑定my Azure应用程序网关的证书的反SSL证书链有关 有人以错误的方式导出它,但未包括证书路径: 上图是在Windows Server上导出证书时需要选中的复选框 要检查网关上的证书链是否完整,请在gi中运行下面的命令