我已将身份验证服务器配置为使用Open ID Connect身份提供程序,以允许用户使用混合流程对多租户Azure Active Directory帐户进行身份验证.
目前,登录按预期工作,我的客户端应用程序重定向到身份验证服务器,然后身份验证服务器重定向到Microsoft进行登录,然后返回到具有正确填充的访问令牌的客户端应用程序.
但是,当我尝试注销时,我被正确地重定向到Microsoft,但页面在返回到身份验证服务器时停止,而不是继续返回到我的客户端应用程序.
我相信我已按照here概述正确设置了邮寄注销重定向,我认为我的所有设置都可以.
当我下载Identity Server 3代码并调试它时,它正确地将signOutMessageId设置到查询字符串上,但是当它尝试重定向到我的映射的signoutcallback位置时,在UseAutofacMiddleware方法中遇到以下错误:
Exception thrown: ‘System.InvalidOperationException’ in mscorlib.dll
Additional information: Headers already sent
我的验证服务器设置:
app.Map("identity",idsrvApp => { var idSvrFactory = new IdentityServerServiceFactory(); var options = new IdentityServerOptions { SiteName = "Site Name",SigningCertificate = <Certificate>,Factory = idSvrFactory,AuthenticationOptions = new AuthenticationOptions { IdentityProviders = ConfigureIdentityProviders,EnablePostSignOutAutoRedirect = true,PostSignOutAutoRedirectDelay = 3 } }; idsrvApp.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); idsrvApp.UseIdentityServer(options); idsrvApp.Map("/signoutcallback",cb => { cb.Run(async ctx => { var state = ctx.Request.Cookies["state"]; ctx.Response.Cookies.Append("state",".",new Microsoft.Owin.CookieOptions { Expires = DateTime.UtcNow.AddYears(-1) }); await ctx.Environment.RenderLoggedOutViewAsync(state); }); }); });
我的Open Id Connect设置连接到Azure AD:
app.USEOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { AuthenticationType = "aad",SignInAsAuthenticationType = signInAsType,Authority = "https://login.microsoftonline.com/common/",ClientId = <Client ID>,AuthenticationMode = AuthenticationMode.Active,TokenValidationParameters = new TokenValidationParameters { AuthenticationType = Constants.ExternalAuthenticationType,ValidateIssuer = false,},Notifications = new OpenIdConnectAuthenticationNotifications() { AuthorizationCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(<Client ID>,<Client Secret>); string tenantId = context.AuthenticationTicket.Identity.FindFirst("tid").Value; AuthenticationContext authContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}"); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code,new Uri(<Identity Server URI>/aad/"),credential,"https://graph.windows.net"); return Task.FromResult(0); },RedirectToIdentityProvider = (context) => { string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase; context.ProtocolMessage.RedirectUri = appBaseUrl + "/aad/"; context.ProtocolMessage.PostlogoutRedirectUri = appBaseUrl + "/signoutcallback"; if (context.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnectRequestType.logoutRequest) { var signOutMessageId = context.OwinContext.Environment.GetSignOutMessageId(); if (signOutMessageId != null) { context.OwinContext.Response.Cookies.Append("state",signOutMessageId); } } return Task.FromResult(0); } });
我找不到有关此问题的原因或解决方案的任何信息.如何将其配置为正确重定向回我的客户端应用程序?
编辑:
关于GitHub的相关讨论:https://github.com/IdentityServer/IdentityServer3/issues/2657
我也在MyGet(v2.4.1-build00452)上使用最新版本的Identity Server尝试了同样的问题.
我还创建了一个存储库,可以在这里为我重现这个问题:https://github.com/Steve887/IdentityServer-Azure/
我的Azure AD设置: