Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
556 views
in Technique[技术] by (71.8m points)

webforms - Unable to Determine RedirectUri for IdentityServer4 OpenID Connect Authentication on Web Forms Application Configured as a Subdirectory

I know there are a lot of similar questions to mine, but I haven't been able to find any examples where the client application is configured like my setup.

What I am Trying to Do

I have configured an asp.net core 3.1 IdentityServer4 instance using Asp.Net Identity and EntityFramework core. I am trying to migrate a bunch of Web Forms applications from FormsAuthentication, and I have the configuration mostly correct - I can work around my sign in redirect problem and see that my claims are being returned as expected and my roles are working.

My Problem

However, I just can't figure out the correct RedirectUri, and that's probably at least partially due to my lack of understanding of how the signin-oidc endpoint works and if it can be configured.

In almost every example I have seen, the redirect Uri is always pointing to the root application (for localhost development, it's something like localhost:5001 or whatever port the application is listening on).

My IIS Hosting Setup

For both local development and production, my applications are set up in IIS as one root application with a series of other applications as subdirectories. For example:

  • mydomain.com
  • mydomain.com/Application1
  • mydomain.com/Application2

Each of these is a stand-alone application.

Redirect Uris I Have Tried

The examples I have seen show the Redirect Uri as localhost:5001/signin-oidc. Here are the various Redirect Uris I have tried in my Startup.cs file and their results:

  • localhost/Application1: "This page isn't redirecting properly" message from Firefox (url is something like http://localhost:80/Application1?code=xxxx&scope=xxxx&state=xxxx&session_state=xxxx)
  • localhost/Application1/: Redirects to root (localhost). I can access the application if I manually navigate to it afterwards, and everything works as expected. However, this is an untenable solution because my users will be confused as hell.
  • localhost/Application1/signin-oidc: 404 not found (url is something like: http://localhost:80/Application1/signin-oidc?code=xxxx&scope=xxxx&state=xxxx&session_state=xxxx)
  • localhost/Application1/signin-oidc/: Same as localhost/Application1/: redirects to root

So it seems like this would all work fine if my application was at the root of the server, but since it's not, I have no idea how to make the redirect work correctly.

Reference

For reference here is the code in my application's startup.cs and the code that produces the challenge. For what it's worth, I do not understand why RedirectUri is being specified in the Authentication Challenge or what impact it has on the request, but it didn't seem to work unless I set it as is here, and in all of the examples I have seen. I played around with it, but it didn't yield any different results from when I left this as is and played around with the RedirectUri values in the Startup.cs file:

Startup.cs

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
    }

    private void ConfigureAuth(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
        });

        app.UseOpenIdConnectAuthentication(GetOpenIdConnectAuthenticationOptions());
    }

    private OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions()
    {
        var _authority = "http://localhost:5000/";
        var _redirectUri = "http://localhost/Application1/";
        var _clientId = "app1";
        var _clientSecret = "WouldntYouLikeToKnow";

        return new OpenIdConnectAuthenticationOptions
        {
            Authority = _authority,
            RedirectUri = _redirectUri,
            ClientId = _clientId,
            ClientSecret = _clientSecret,
            Scope = $"{OpenIdConnectScope.OpenIdProfile} role",
            TokenValidationParameters = new TokenValidationParameters()
            {
                NameClaimType = "preferred_username",
                RoleClaimType = ClaimTypes.Role
            },
            SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
            RequireHttpsMetadata = _authority.Contains("https"),
            UseTokenLifetime = false,
            RedeemCode = true,
            SaveTokens = true,
            ResponseType = OpenIdConnectResponseType.Code,
            ResponseMode = OpenIdConnectResponseMode.Query,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
               //section removed for brevity - this code handles pkce verification and challenge.
            }
        };
    }
}

SiteMaster.cs

protected override void OnInit(EventArgs e)
{
    if (!Request.IsAuthenticated)
    {
        HttpContext.Current.GetOwinContext().Authentication.Challenge(new Microsoft.Owin.Security.AuthenticationProperties()
        {
            RedirectUri = "/"
        }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
    }
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...