Asp.net web api OWIN-清除无效的WSFederation Cookie
我使用ADFS cookie身份验证实现了一个ASP.NETWebAPI2项目,并将其托管在IIS上。一切正常 但是,一些客户端已获得旧cookie,由于配置更改而变得无效。调用my API时,此类Cookie会导致以下错误:Asp.net web api OWIN-清除无效的WSFederation Cookie,asp.net-web-api,owin,adfs,ws-federation,owin-middleware,Asp.net Web Api,Owin,Adfs,Ws Federation,Owin Middleware,我使用ADFS cookie身份验证实现了一个ASP.NETWebAPI2项目,并将其托管在IIS上。一切正常 但是,一些客户端已获得旧cookie,由于配置更改而变得无效。调用my API时,此类Cookie会导致以下错误: [CryptographicException: Key not valid for use in specified state. ] System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encr
[CryptographicException: Key not valid for use in specified state.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +447
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +49
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +329
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +826
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +92
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +569
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +159
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
显而易见的解决办法是清除cookies。但是,将来我可能会再次更改Cookie配置,因此我希望自动从API中清除所有无效的Cookie
我尝试添加一个自定义OWIN中间件并重写IEExceptionHandler
以下是我的WIF配置:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://my.web-api.com" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="ADFS">
<keys>
<add thumbprint="--a thumbprint--" />
</keys>
<validIssuers>
<add name="http://my.adfs.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation issuer="https://my.adfs.com/adfs/ls" realm="https://my.web-api.com" requireHttps="true" passiveRedirectEnabled="false"
persistentCookiesOnPassiveRedirects="true" />
<cookieHandler name="my.cookie" path="/" persistentSessionLifetime="7.0:0:0" />
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectName" findValue="my.web-api.com" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
</federationConfiguration>
</system.identityModel.services>
无论CryptographicExceptionHandler
和ClearInvalidCookiesMiddleware
中包含什么,它们的代码都不会被调用,我会得到500个错误。我还尝试在UseWebApi
之前移动ClearInvalidCookies中间件
我的目标是添加Set Cookie
响应头以清除无效Cookie并返回401或重定向
在这种情况下,如何使OWIN自定义响应?解决方案似乎覆盖了SessionAuthenticationModule.OnAuthenticateRequest
并在异常情况下调用SignOut()
:
class ClearInvalidCookiesSessionAuthenticationModule : SessionAuthenticationModule
{
protected override void OnAuthenticateRequest(object sender, EventArgs eventArgs)
{
try
{
base.OnAuthenticateRequest(sender, eventArgs);
}
catch(InvalidOperationException ex) when (ex.InnerException is CryptographicException) // Invalid cookie signing key
{
SignOut();
}
catch(System.Xml.XmlException) // Invalid cookie structure
{
SignOut();
}
}
}
要使用继承的类而不是默认类,应在Web.config中插入以下行:
<system.webServer>
<modules ...>
<!-- Insert the line below or replace existing SessionAuthenticationModule -->
<add name="SessionAuthenticationModule" preCondition="managedHandler"
type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
...
</modules>
...
</system.webServer>
...
...
<system.webServer>
<modules ...>
<!-- Insert the line below or replace existing SessionAuthenticationModule -->
<add name="SessionAuthenticationModule" preCondition="managedHandler"
type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
...
</modules>
...
</system.webServer>