C# IdentityServer4多个WSFederation提供程序导致异常
我被告知我将在这里描述的不是IdentityServer中的bug,因此我可能做错了什么: 这段代码可以工作,在中使用单个WSFederation实例作为标识提供程序 注册提供商:C# IdentityServer4多个WSFederation提供程序导致异常,c#,asp.net-core,.net-core,identityserver4,ws-federation,C#,Asp.net Core,.net Core,Identityserver4,Ws Federation,我被告知我将在这里描述的不是IdentityServer中的bug,因此我可能做错了什么: 这段代码可以工作,在中使用单个WSFederation实例作为标识提供程序 注册提供商: services.AddAuthentication() .AddWsFederation("WsFederation", options => { options.SignInScheme = IdentityServerCons
services.AddAuthentication()
.AddWsFederation("WsFederation", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = realm;
options.MetadataAddress = metadata;
options.Events.OnTicketReceived += OnTicketReceived;
})
OnTicketReceived Eventhandler:
/// <summary>
/// Transform the UPN-claim to the sub-claim to be compatible with IdentityServer4
/// </summary>
private async Task OnTicketReceived(TicketReceivedContext ticketReceivedContext)
{
var identity = ticketReceivedContext.Principal.Identities.First();
identity.AddClaim(new Claim("sub", ticketReceivedContext.Principal.FindFirstValue("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier")));
}
我得到的例外是这样的-如果我通过允许未经请求的登录来修复它,则会发生其他异常,因为它仍然试图使用错误的提供程序:
services.AddAuthentication()
.AddWsFederation("WsFederation", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = realm;
options.MetadataAddress = metadata;
options.Events.OnTicketReceived += OnTicketReceived;
})
系统。例外:不允许主动登录。
在Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.d_u12.MoveNext()中
我找到了提出的要点:
我不喜欢使用fork IdentityServer 4来解决这个问题,因此我要求在不更改IdentityServer代码的情况下找到解决方案。我可以介入并更改某些内容的地方要么是WSFederation端点的配置,要么是AccountController
AccountController中的回调:
[HttpGet]
public async Task<IActionResult> ExternalLoginCallback()
{
// read external identity from the temporary cookie - I don't know how I could change which AuthenticationMiddleware gets called
var result = await HttpContext.AuthenticateAsync(IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme);
[HttpGet]
公共异步任务ExternalLoginCallback()
{
//从临时cookie读取外部标识-我不知道如何更改调用哪个AuthenticationMiddleware
var result=wait HttpContext.authenticateSync(IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme);
非常感谢您给我的任何建议。明白了-解决方案是为不同的提供商设置不同的回调路径:
services.AddAuthentication()
.AddWsFederation("WsFederation_LocalHost", "WsFederation_LocalHost", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = "urn:aspnetcorerp";
options.MetadataAddress = "http://localhost:5000/wsfederation";
options.Events.OnTicketReceived += OnWsFedTicketReceived;
options.RequireHttpsMetadata = false;
options.CallbackPath = "/signin-wsfed-localhost";
})
.AddWsFederation("WsFederation_SVN", "WsFederation_SVN", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = realm;
options.MetadataAddress = metadata;
options.Events.OnTicketReceived += OnWsFedTicketReceived;
options.CallbackPath = "/signin-wsfed-svn";
})
嘿,回拨路径可以是任何随机名称?如/signin wsfed svn random?只需要唯一?是的,您可以使用您选择的路径。非常感谢。这个答案对我帮助很大。很久以来一直在寻找解决方案。我尝试AllowUnsolicitedLogins为true,但似乎产生了问题,您认为AllowUnsolicitedLogins为true是否为alt我不知道这是否有帮助,但是除了你遇到的问题之外,这也会降低安全性,所以我不建议使用它。我也会一直使用那里的功能,而不是尝试实施变通方法,因为你可能会用它产生更多的安全问题。
[HttpGet]
public async Task<IActionResult> ExternalLoginCallback()
{
// read external identity from the temporary cookie - I don't know how I could change which AuthenticationMiddleware gets called
var result = await HttpContext.AuthenticateAsync(IdentityServer4.IdentityServerConstants.ExternalCookieAuthenticationScheme);
services.AddAuthentication()
.AddWsFederation("WsFederation_LocalHost", "WsFederation_LocalHost", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = "urn:aspnetcorerp";
options.MetadataAddress = "http://localhost:5000/wsfederation";
options.Events.OnTicketReceived += OnWsFedTicketReceived;
options.RequireHttpsMetadata = false;
options.CallbackPath = "/signin-wsfed-localhost";
})
.AddWsFederation("WsFederation_SVN", "WsFederation_SVN", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.Wtrealm = realm;
options.MetadataAddress = metadata;
options.Events.OnTicketReceived += OnWsFedTicketReceived;
options.CallbackPath = "/signin-wsfed-svn";
})