.net - dotnet core openidconnect identityserver4 中断注销方法
问题描述
我有一个使用 identitysever4 进行身份验证的简单 dotnet 核心应用程序。登录工作正常。注销部分工作,直到我尝试添加 SignedOutCallbackPath。我在家庭控制器中添加了一个名为 logoutcomplete 的方法。我可以像这样在浏览器中调用该方法http://localhost:port/home/logoutcomplete。然后我添加 options.SignedOutCallbackPath = signedOutCallbackPath; 到应用程序,然后运行应用程序。然后尝试重新访问http://localhost:port/home/logoutcomplete。它返回 200 但没有视图。它也不进入控制器方法。配置服务是这样的:
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie("Cookies")
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SaveTokens = true;
options.ClientId = clientId;
options.RequireHttpsMetadata = false;
options.Authority = metadataAddress;
//options.SignedOutCallbackPath = signedOutCallbackPath;
//options.SignedOutRedirectUri = Wtrealm + postLogoutUrl;
// Wtrealm is the app's identifier in the Active Directory instance.
// For ADFS, use the relying party's identifier, its WS-Federation Passive protocol URL:
//options.Wtrealm = "https://localhost:44321/";
options.Events.OnRedirectToIdentityProvider = onRedirectToIdentityProvider;
//options.Events.OnRedirectToIdentityProviderForSignOut = onRedirectToIdentityProviderForSignOut;
options.Events.OnRemoteFailure = remoteAuthFail;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
//options.Scope.Add("role");
}); Services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
这是配置方法
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
编辑 1: 是的,我已将注销后重定向配置到我提到的控制器。这是我执行步骤 1 后 chrome 中网络选项卡的一般视图
- 我单击客户端应用程序中的注销链接。
- 注销控制器处理它。
- 它使我退出应用程序并将我重定向到 ID 服务器注销过程。
- id server endesssion 被调用。它重定向到 ID 服务器帐户/注销方法。
- 它返回 302 到我客户端中的 postlogouturl 页面。这是它应该停止的地方,我会非常高兴。
- 但是我从那个注销后的目的地得到了 302。
它会将我发送到客户端主页。这对 ID 服务器的登录有代码挑战。
har 文件也不能发布,但这里是 chrome 中网络选项卡的获取版本
调用 1: https://localhost:44321/Account/Logout ", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q =0.9,image/webp,image/apng, / ;q=0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma ":"no-cache","upgrade-insecure-requests":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade", "body":null,"method":"GET","mode":"cors"}
呼叫 2: https://localhost:5001/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44321%2FAccount%2FCompleteSignout&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkZGQzU0RUYzRjlCODYzMUVDQTMyQThERUZDMjM1QjJFMTAzMTIwMjgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJfOFZPOF9tNFl4N0tNcWplX0NOYkxoQXhJQ2cifQ..rykZoW4oBhC8FB-6plAu8tlnsi9kqp4Ij7aSc3GahSngXQZTFR6thStpnQDB5AGvr3mTg9IYkHmd_H5Q6KpMXLCvP8icfIoPo0F82Hy5m9R1bHCr-2j3nz3-KKtD63-TAWJdH291v9ob5u2LDxeV3kax0oI-2_jlQmaR4FvKoEIOLTv3O07gJ7gGOqTMUXyxgPe8leTKVMsibG4LyIIeM0CbSSHA7cuEOu8VaCHLHh4mewPprmvcAXqRtjksT5SdlcuySt8Jm9j0u03qQV9XcXaf4XVE8vMdBgwP2dCjz4F7CYwJNRlZIGiTkVbFy1pRSJx9YNHyM-zMe3jvk9a11w&state=CfDJ8IkQZhXHRoVImqJIMbA3AwywYZQb1BcuwxT_DXXCkTLUmtShNjh8kb-IwB-Xdt3k-GOwwhKn2NFKH0e9YNp7QQBa65K6buhh-2ndhP6RsoIzOokn2jibJVRALgCTgGDHS_ubXnpUUGQlteboyzGPAWHQIny6XUv6jPS-BLpd6nuU&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q =0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma":"no-cache","upgrade-insecure-requests ":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade","body":null,"method":"GET", “模式”:“cors”}
呼叫 3: https://本地主机:5001/Account/Logout?logoutId=CfDJ8IAxOFzkPDhIhK9DJ2tWINzkHt_UeEMkRoNAXbQ6CosU_t3gC5V0MujllavlrQsVycb_3pHr62VvRY1EQDgy-aZ7bqcwmgETDaB3Zp1RXLmb15CG-S8WN8EBThjPZQ5-4QqSWgXi7G44Bvp2hW1vlmfLtcyTQ-U2QbPpQOsoccnXqUM4JfI41fmIUlIC2DHCyLYAbHsTwvf1g_twwr0Ed914NInq-35IoLEWjIxoDNeFfSJJoxasEl9klvK_1EM_hz2GTLMRP5s46jtuMSoebvG_EVwO9hFxRGNg2kS8llFqx2zjSjFqeqowTPv7yK3im7IHFVqCJWVvyOHXH7XKCddUSfH5SNQ1hf6I3Ag96G7BRgyWwFM_c_t560V5ihQXkQ3HT0JIyF5rbh5tFC370XtqPFzz5jFB7XOe6YveXnCCk3EPpRS9Ll7DCMCABnd5uLmh9i0WtZlVg_LA9KOXcy1x97VUqiMDxqW8h8ahM3YKz0UCnvvyGGM9TV0Cv-7RCqcEo9sJyDSYjQzCV6ZqyXylaaqftAyCTKaBlC3umI9Y-_CQw_7U86uMu8c7zvxiwcGj4ixJcKHVGmkV9x0G_F_DmrcBC1GJRlJR6jc-VBecK_PA24UiSk2Jjpgpa1CfZqXHAkEVNILzgKh2gGJU4gvqrTgpxGoQj5Hnz2Vl6Tadin6_w6RLRYZIz9Yd1F45Apkonntl8DwnrY6xzqLRFX3wQ7rkxQe_xWVZq-5oQCJ1QQFEHtVqtdvVHkDZFLVJXmQSF-S8yyxZn8WVE257iQCNHeVBSV8IjNT4HRHnGnsR15vMBpmOt7Co2UsHZPMY9dsajHfJtDrL9W4k4zIrKP7wScmdb9i8cdxZ8hjIr0Dfs_ZTswCuxgP-jZroKBCCOhJ9_k4K1lDYoAAKr09etztiwtFqMnq96O8-GtQYKVhZL9bYGSbVcLsm1ko_144vf0h5LdlkCcWUoP0fh0lOxwn80s9Gmtrend9jmuXDKZ_P", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q =0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma":"no-cache","upgrade-insecure-requests ":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade","body":null,"method":"GET", “模式”:“cors”}
Call 4: https://localhost:44321/Account/CompleteSignout?state=CfDJ8IkQZhXHRoVImqJIMbA3AwywYZQb1BcuwxT_DXXCkTLUmtShNjh8kb-IwB-Xdt3k-GOwwhKn2NFKH0e9YNp7QQBa65K6buhh-2ndhP6RsoIzOokn2jibJVRALgCTgGDHS_ubXnpUUGQlteboyzGPAWHQIny6XUv6jPS-BLpd6nuU ", {"credentials":"include","headers":{"accept":"text /html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q=0.8","accept-language":"en-US,en;q=0.9", "cache-control":"no-cache","pragma":"no-cache","upgrade-insecure-requests":"1"},"referrer":" https://localhost:44321/ ", "referrerPolicy":"no-referrer-when-downgrade","body":null,"method":"GET","mode":"cors"}
调用 5: https://localhost:44321/ ", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,image/apng, / ;q=0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma":" no-cache","upgrade-insecure-requests":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade","body" :null,"method":"GET","mode":"cors"}
呼叫 6: https://localhost:5001/connect/authorize?client_id=776ae6c3-c273-4e8c-9f9a-18e39405cc7d&redirect_uri=https%3A%2F%2Flocalhost%3A44321%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20email %20offline_access&response_mode=form_post&nonce=636875657052545628.OTAwYzMwMWYtNzRmMi00YzlhLWFhNzgtMjRmZjFkOTgxYzY3YTBiMzcxMWUtM2M5Mi00YWE1LTkwNDgtNjIwODZjNDMxMDhk&login_hint=user.name&state=CfDJ8IkQZhXHRoVImqJIMbA3AwzSzO3TsIn08Q4MFv1bS3bVSAI8e35pZwTGfspMlXdIf3-lejQgu5bHYbbBYbPaR7S_20VO-GTp97rGCnsGeeQEuOqEGpYSA6C4LUeGCEYPV0R113XvY6qxcupAklxj_SVSwR3YWXKl2b-vwpkB45q8txV0TOc8LMeKbajQYB6jzQI5wI6b_zqRaAb0NHLRc4pk6fdx9PyVDouuq8mtfhKGaF1R0bV5iY1v8jkF4MEspx3xmL1Z78ik4YzRv1cgT52OvUvHgrnq9XgGfB5SXwI_e16CkuNZEf2ltVH5ifK5cA&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q =0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma":"no-cache","upgrade-insecure-requests ":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade","body":null,"method":"GET", “模式”:“cors”}
呼叫 7: https://localhost:5001/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D776ae6c3-c273-4e8c-9f9a-18e39405cc7d%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%_253A44321%252Fsignin-oidc%2 %3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520email%2520offline_access%26response_mode%3Dform_post%26nonce%3D636875657052545628.OTAwYzMwMWYtNzRmMi00YzlhLWFhNzgtMjRmZjFkOTgxYzY3YTBiMzcxMWUtM2M5Mi00YWE1LTkwNDgtNjIwODZjNDMxMDhk%26login_hint%3Duser.name%26state%3DCfDJ8IkQZhXHRoVImqJIMbA3AwzSzO3TsIn08Q4MFv1bS3bVSAI8e35pZwTGfspMlXdIf3-lejQgu5bHYbbBYbPaR7S_20VO-GTp97rGCnsGeeQEuOqEGpYSA6C4LUeGCEYPV0R113XvY6qxcupAklxj_SVSwR3YWXKl2b-vwpkB45q8txV0TOc8LMeKbajQYB6jzQI5wI6b_zqRaAb0NHLRc4pk6fdx9PyVDouuq8mtfhKGaF1R0bV5iY1v8jkF4MEspx3xmL1Z78ik4YzRv1cgT52OvUvHgrnq9XgGfB5SXwI_e16CkuNZEf2ltVH5ifK5cA%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.3.0.0", {"credentials":"include","headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q =0.8","accept-language":"en-US,en;q=0.9","cache-control":"no-cache","pragma":"no-cache","upgrade-insecure-requests ":"1"},"referrer":" https://localhost:44321/ ","referrerPolicy":"no-referrer-when-downgrade","body":null,"method":"GET", “模式”:“cors”}
调用 8,9,10,11:(所有 css 和 js 调用都无用) https://localhost:5001/lib/bootstrap/css/bootstrap.css ", {"credentials":"omit","referrerPolicy ":"no-referrer","body":null,"method":"GET","mode":"cors"} https://localhost:5001/css/site.css ", {"credentials": "省略","referrerPolicy":"no-referrer","body":null,"method":"GET","mode":"cors"} https://localhost:5001/icon.png ", { "credentials":"省略","referrerPolicy":"no-referrer","body":null,"method":"GET","mode":"cors" } https://localhost:5001/lib/jquery/jquery.js ", {"credentials":"omit","referrerPolicy":"no-referrer","body":null,"method":"GET" "mode":"cors"} https://localhost:5001/lib/bootstrap/js/bootstrap.js", {"credentials":"omit","referrerPolicy":"no-referrer","body":null,"method":"GET","mode":"cors"}
解决方案
您可以将以下代码添加到某个控制器以触发注销:
public IActionResult Logout()
{
return SignOut("Cookies", OpenIdConnectDefaults.AuthenticationScheme);
}
这将清除本地 cookie,然后重定向到 IdentityServer。IdentityServer 将清除其 cookie,然后为用户提供返回 MVC 应用程序的链接。
这是 Identity Server 中的客户端配置:
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = { "http://localhost:64146/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:64146/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
//Another scopes
},
AllowOfflineAccess = true
}
并且您可以设置options.SignedOutCallbackPath在退出 OIDC 后使用户重定向。
推荐阅读
- events - Commanded 中的相关性和因果关系 ID
- android - Android,RecyclerView:什么时候回收,什么时候不回收?
- windows - 如何在 Windows 中压缩超过 30 天的日志文件?
- ios - 如何更早地触发锁屏/锁屏?
- airflow - 在运行时在 Airflow 运算符中创建和使用连接
- bash - 重击。关联数组迭代(有序且无重复)
- eloquent - 我如何一次清除一个函数/方法,但使用这个多重查询 Laravel
- javascript - 如何从烧瓶服务器下载通过 jquery/ajax 请求的 csv 文件
- python-3.x - 使用 tf.data.Dataset 填充数据
- c# - wtsapi32.dll:WTSEnumerateSessions API 间歇性地将“pCount”设置为 0