azure - 部署到 Azure AppService 时,Identity Server 4 找不到证书
问题描述
我有一个 asp.net 核心托管的 blazor wasm 应用程序。我使用默认模板通过 Identity Server 4 进行身份验证。当我在发布模式下本地测试它时,它按预期工作。但是当我部署到 Azure AppService 时,我得到了这个异常:
2020-05-08 07:45:50.244 +00:00 [ERR] An unhandled exception has occurred while executing the request.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus()
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.FoundPrivateKey(SecurityKey key)
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures, CryptoProviderFactory cryptoProviderFactory)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token)
at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request)
at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)
at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events)
at IdentityServer4.Hosting.MutualTlsTokenEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)
at Serilog.AspNetCore.RequestLoggingMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Builder.Extensions.MapWhenMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
在我的 appsettings 我有这个配置:
"IdentityServer": {
"Clients": {
"ApplySupportTool.Client": {
"Profile": "IdentityServerSPA"
}
},
"Key": {
"Type": "File",
"FilePath": "applysupporttool.pfx",
"Password": "{Password}"
}
}
在我的 Startup.cs 中,我在 ConfigureServices 方法中有这个:
services.AddIdentityServer()
.AddApiAuthorization<ApplicationUser, SupportToolContext>();
services.AddAuthentication()
.AddIdentityServerJwt();
这在配置方法中:
app.UseIdentityServer();
app.UseAuthentication();
app.UseAuthorization();
我根据带有个人身份验证的 asp.net core blazor wasm 模板制作的。
Azure 本身已正确填写密码。Azure 上与我的系统上有何不同?
解决方案
我在 AWS ElasticBeanstalk 基础设施上设置 IdentityServer 时遇到了这个问题。我发现 EC2 实例上的应用程序池没有将 Load User Profile 设置为 true。设置后,权限模型会更改并允许进程加载到证书中。您可以通过应用程序池详细信息上的 IIS 管理 UI 启用,或使用下面的脚本版本。
Import-Module WebAdministration
Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name "processModel.loadUserProfile" -Value "True"
推荐阅读
- regex - React Router Dom v5:无法识别 GUID / UUID 的正则表达式路径
- python-3.x - Pytest:如何调用夹具的补丁
- python-3.x - 如何在 Ubuntu 20.04 中默认设置 python 3.7?
- python - 输入给出未知的语法错误 - 其他一切正常
- amazon-web-services - 使用 Lambda AWS 的 Severless 函数出错
- python - 为什么我进入 Z1 2 列而不是 3 列以及如何使用 hotEncoder 修复它
- java - 从对象实例访问嵌套的静态枚举方法
- r - 如何在 bookdown 中启用 LaTeX shell-escape
- python - 使用自定义分隔符读取文件
- facebook - Facebook Web OAuth URL 登录被阻止,因为 URL 未列入白名单