C# 处理不完整或错误的远程注销
我刚刚更新了我的应用程序(使用identity server 4)以使用.net core 2.1框架。生产实例使用.NETCore1.1,我没有这个问题。该应用程序支持多个开放id提供商,其中一个是B2C。与其他目录不同,注销过程不会完全完成。在.net core 1.1中,注销将以identity server注销页面结束。但在.NETCore2.1中,我看到了一个空白页。在identity server端的最后一个url命中是C# 处理不完整或错误的远程注销,c#,asp.net,asp.net-core-2.0,identityserver4,C#,Asp.net,Asp.net Core 2.0,Identityserver4,我刚刚更新了我的应用程序(使用identity server 4)以使用.net core 2.1框架。生产实例使用.NETCore1.1,我没有这个问题。该应用程序支持多个开放id提供商,其中一个是B2C。与其他目录不同,注销过程不会完全完成。在.net core 1.1中,注销将以identity server注销页面结束。但在.NETCore2.1中,我看到了一个空白页。在identity server端的最后一个url命中是https:///signout-callback-oidc?s
https:///signout-callback-oidc?state=
。我怀疑政府已经腐败了?不幸的是,这个问题只有在我将其部署到应用程序服务之后才会发生,在本地我没有任何问题
关于日志-一旦到达结束会话结束点(EndSessionEndpoint
),日志记录即结束。返回EndSessionResult
后,将不再进行日志记录。因此,如果我看我的日志,它表明成功
我尝试了很多方法,比如在B2C注册的可接受回复url列表中指定已注销的回调url,自定义状态数据格式怀疑url过长。但什么都没用。这些用户的索赔数量也较少——约为7/8。我还尝试使用了OpenIdConnectEvents.OnRemoteSignout
和OpenIdConnectEvents.OnSignedOutCallbackRedirect
,但似乎没有调用这些回调
身份服务器日志
[02:16:36 Information] IdentityServer4.Validation.EndSessionRequestValidator
End session request validation success
{
"ClientId": "<id>",
"ClientName": "<nmame>",
"SubjectId": "<sub-id>",
"PostLogOutUri": "https://<app>/signout-callback-oidc",
"State": "<state>",
"Raw": {
"post_logout_redirect_uri": "https://<app>/signout-callback-oidc",
"id_token_hint": "<token-hint>",
"state": "<state>",
"x-client-SKU": "ID_NET",
"x-client-ver": "2.1.4.0"
}
}
[02:16:36 Debug] IdentityServer4.Endpoints.EndSessionEndpoint
Success validating end session request from <app-client-id>
[02:16:37 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application signed out.
[02:16:37 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.External signed out.
[02:16:38 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.TwoFactorUserId signed out.
[02:16:38 Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
AuthenticationScheme: OpenIdConnect signed out.
我也在identity server repo中发布了这个问题,以防您有一些想法并想将其添加到那里 问题是,当使用
AddOpenIdConnect
方法设置选项时,我没有为每个导致此问题的开放id提供程序设置SignedoutCallbackPath
。一旦完成,注销就开始按预期工作
services.AddOpenIdConnect(adSettingsB2c.SchemeName, adSettingsB2c.DisplayName, options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = $"{adSettingsB2c.AADInstance}/{adSettingsB2c.Tenant}/B2C_1_{adSettingsB2c.SignInPolicyId}/v2.0";
options.CallbackPath = adSettingsB2c.CallbackPath;
options.ClientId = adSettingsB2c.ClientId;
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true
};
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = r =>
{
var defaultPolicy = adSettingsB2c.SignInPolicyId;
if (r.Properties.Items.TryGetValue("Policy", out var policy) &&
!policy.Equals(defaultPolicy))
{
r.ProtocolMessage.Scope = OpenIdConnectScope.OpenIdProfile;
r.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
r.ProtocolMessage.IssuerAddress = r.ProtocolMessage.IssuerAddress.ToLower().Replace(defaultPolicy.ToLower(), policy.ToLower());
r.Properties.Items.Remove("Policy");
}
if (r.Properties.Items.ContainsKey("email_address"))
{
r.ProtocolMessage.SetParameter("login_hint", r.Properties.Items["email_address"]);
}
return Task.FromResult(0);
},
OnRemoteFailure = r => { // ... }
};
})