C# OWIN OpenId身份验证-注销后的活动会话_C#_Asp.net_Asp.net Mvc_Asp.net Identity_Owin

C# OWIN OpenId身份验证-注销后的活动会话

c# asp.net asp.net-mvc

C# OWIN OpenId身份验证-注销后的活动会话,c#,asp.net,asp.net-mvc,asp.net-identity,owin,C#,Asp.net,Asp.net Mvc,Asp.net Identity,Owin,我已经在我的应用程序中实现了ASP.NETcookie身份验证和OWIN OpenId身份验证的混合。我正在尝试修复一个安全漏洞，其中会话即使在注销后也不会失效中间件实现： app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType, a

我已经在我的应用程序中实现了ASP.NETcookie身份验证和OWIN OpenId身份验证的混合。我正在尝试修复一个安全漏洞，其中会话即使在注销后也不会失效

中间件实现：

app.UseCookieAuthentication( new CookieAuthenticationOptions { AuthenticationType = CookieAuthenticationDefaults.AuthenticationType, app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, } } ); 我正在捕获Fiddler中的流量，并单击“从网页注销”。当我尝试从Fiddler重新发出请求时，它正在成功完成，并且在HttpModule中，

Application.User.Identity.IsAuthenticated

为True

我有几个问题：-

这是Cookie重播攻击吗

我做错了什么，如果不是，我会的必须通过一些技巧来修复它，比如在缓存中存储cookie和比较一下

从应用程序注销时，也必须从Identity server注销。否则，您的应用程序将重定向到identity server，重新进行身份验证并重新登录。检查“通知”下的以下代码段：

app.UseCookieAuthentication(
    new CookieAuthenticationOptions
    {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,    
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
        },
        Notifications = new OpenIdConnectAuthenticationNotifications
        {
            RedirectToIdentityProvider = n =>
            {
                // if signing out, add the id_token_hint
                if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                {
                    var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                    if (idTokenHint != null)
                    {
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                    }
                }

                return Task.FromResult(0);
            }
        }
     }
);

您会发现一些OWIN中间件设置的示例（虽然不是对您的问题的直接回答）

不确定这个答案是否可以帮助其他人，但是，这里有一些关于如何使用MVC应用程序设置openId的更多信息

更改中间件配置

在

startup.cs

文件中添加OpenId和Cookies身份验证中间件。将

ResponseType

设置为

Id\u令牌

以使openId注销也能正常工作

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                CookieHttpOnly = true,
                AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
                CookieName = "AppCookies",
                ExpireTimeSpan = TimeSpan.FromMinutes(30),
                SlidingExpiration = true
            });

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = "https://localhost:44319/identity",
                
    ClientId = "mvc",
    Scope = "openid profile roles",
    RedirectUri = "https://localhost:44319/",
    ResponseType = "id_token",
    SignInAsAuthenticationType = "Cookies",
    UseTokenLifetime = false,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        SecurityTokenValidated = n =>
            {
                var id = n.AuthenticationTicket.Identity;

                // we want to keep first name, last name, subject and roles
                var givenName = id.FindFirst(Constants.ClaimTypes.GivenName);
                var familyName = id.FindFirst(Constants.ClaimTypes.FamilyName);
                var sub = id.FindFirst(Constants.ClaimTypes.Subject);
                var roles = id.FindAll(Constants.ClaimTypes.Role);

                // create new identity and set name and role claim type
                var nid = new ClaimsIdentity(
                    id.AuthenticationType,
                    Constants.ClaimTypes.GivenName,
                    Constants.ClaimTypes.Role);

                nid.AddClaim(givenName);
                nid.AddClaim(familyName);
                nid.AddClaim(sub);
                nid.AddClaims(roles);

                // add some other app specific claim
                nid.AddClaim(new Claim("app_specific", "some data"));                   

                n.AuthenticationTicket = new AuthenticationTicket(
                    nid,
                    n.AuthenticationTicket.Properties);
                
                return Task.FromResult(0);    
            },
            RedirectToIdentityProvider = n =>
                {

                    // if signing out, add the id_token_hint
                    if ((int)n.ProtocolMessage.RequestType ==                     (int)OpenIdConnectRequestType.Logout)
                    {
                        var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Startup.IdToken);

                        if (idTokenHint != null)
                        {
                            n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                        }
                    }
                    return Task.FromResult(0);
                }
    }
});

添加注销

添加注销很简单，只需添加一个调用Katana authentication manager中的注销方法的新操作：

public ActionResult Logout()
{
           Session.Abandon();
    
            // clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
            HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
            cookie2.HttpOnly = true;
            cookie2.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(cookie2);

            // clear site cookie
            var siteCookie = new HttpCookie("AppCookies", "");
            siteCookie.HttpOnly = true;
            siteCookie.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(siteCookie);
            
            Request.GetOwinContext().Authentication.SignOut();
            return Redirect("/");
}

谢谢你的回答。我得到的

idTokenHint

为空。有什么我需要配置的吗？此外，如果设置了，我需要再次检查它，否则Identity将负责？您必须添加“id_token”作为声明，以便在注销时检索我并将其传递给id服务器。检查我答案下面链接中的示例。它有一个详细的代码示例。

public ActionResult Logout()
{
           Session.Abandon();
    
            // clear session cookie (not necessary for your current problem but i would recommend you do it anyway)
            HttpCookie cookie2 = new HttpCookie("ASP.NET_SessionId", "");
            cookie2.HttpOnly = true;
            cookie2.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(cookie2);

            // clear site cookie
            var siteCookie = new HttpCookie("AppCookies", "");
            siteCookie.HttpOnly = true;
            siteCookie.Expires = DateTime.Now.AddYears(-1);
            Response.Cookies.Add(siteCookie);
            
            Request.GetOwinContext().Authentication.SignOut();
            return Redirect("/");
}