C# OWIN OpenId身份验证-注销后的活动会话
我已经在我的应用程序中实现了ASP.NETcookie身份验证和OWIN OpenId身份验证的混合。我正在尝试修复一个安全漏洞,其中会话即使在注销后也不会失效 中间件实现: app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType, app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, } } ); 我正在捕获Fiddler中的流量,并单击“从网页注销”。当我尝试从Fiddler重新发出请求时,它正在成功完成,并且在HttpModule中,C# OWIN OpenId身份验证-注销后的活动会话,c#,asp.net,asp.net-mvc,asp.net-identity,owin,C#,Asp.net,Asp.net Mvc,Asp.net Identity,Owin,我已经在我的应用程序中实现了ASP.NETcookie身份验证和OWIN OpenId身份验证的混合。我正在尝试修复一个安全漏洞,其中会话即使在注销后也不会失效 中间件实现: app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType, a
Application.User.Identity.IsAuthenticated
为True
我有几个问题:-
从应用程序注销时,也必须从Identity server注销。否则,您的应用程序将重定向到identity server,重新进行身份验证并重新登录。检查“通知”下的以下代码段:
app.UseCookieAuthentication(
new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
}
);
您会发现一些OWIN中间件设置的示例(虽然不是对您的问题的直接回答)不确定这个答案是否可以帮助其他人,但是,这里有一些关于如何使用MVC应用程序设置openId的更多信息 更改中间件配置 在
startup.cs
文件中添加OpenId和Cookies身份验证中间件。将ResponseType
设置为Id\u令牌
以使openId注销也能正常工作
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieHttpOnly = true,
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
CookieName = "AppCookies",
ExpireTimeSpan = TimeSpan.FromMinutes(30),
SlidingExpiration = true
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:44319/identity",
ClientId = "mvc",
Scope = "openid profile roles",
RedirectUri = "https://localhost:44319/",
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var id = n.AuthenticationTicket.Identity;
// we want to keep first name, last name, subject and roles
var givenName = id.FindFirst(Constants.ClaimTypes.GivenName);
var familyName = id.FindFirst(Constants.ClaimTypes.FamilyName);
var sub = id.FindFirst(Constants.ClaimTypes.Subject);
var roles = id.FindAll(Constants.ClaimTypes.Role);
// create new identity and set name and role claim type
var nid = new ClaimsIdentity(
id.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
nid.AddClaim(givenName);
nid.AddClaim(familyName);
nid.AddClaim(sub);
nid.AddClaims(roles);
// add some other app specific claim
nid.AddClaim(new Claim("app_specific", "some data"));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
return Task.FromResult(0);
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if ((int)n.ProtocolMessage.RequestType == (int)OpenIdConnectRequestType.Logout)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Startup.IdToken);
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
添加注销
添加注销很简单,只需添加一个调用Katana authentication manager中的注销方法的新操作:
public ActionResult Logout()
{
Session.Abandon();
// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.HttpOnly = true;
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
// clear site cookie
var siteCookie = new HttpCookie("AppCookies", "");
siteCookie.HttpOnly = true;
siteCookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(siteCookie);
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
}
谢谢你的回答。我得到的
idTokenHint
为空。有什么我需要配置的吗?此外,如果设置了,我需要再次检查它,否则Identity将负责?您必须添加“id_token”作为声明,以便在注销时检索我并将其传递给id服务器。检查我答案下面链接中的示例。它有一个详细的代码示例。
public ActionResult Logout()
{
Session.Abandon();
// clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
cookie2.HttpOnly = true;
cookie2.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(cookie2);
// clear site cookie
var siteCookie = new HttpCookie("AppCookies", "");
siteCookie.HttpOnly = true;
siteCookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(siteCookie);
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
}