-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
64 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,64 @@ | ||
待编辑... | ||
## 1. 背景 | ||
一个asp.net core应用,采用了混合模式接入IdentityServer4,大致代码如下: | ||
```csharp | ||
services.AddAuthentication(options => | ||
{ | ||
options.DefaultScheme = "Cookies"; | ||
options.DefaultChallengeScheme = "oidc"; | ||
}) | ||
.AddCookie("Cookies") | ||
.AddOpenIdConnect("oidc", options => | ||
{ | ||
options.Authority = "http://localhost:5000"; //指定授权服务器的地址 | ||
options.RequireHttpsMetadata = false; //不需要https | ||
options.ClientId = "mvc"; //指定客户端ID | ||
options.ClientSecret = "secret"; //指定客户端秘钥 | ||
options.ResponseType = "code id_token"; //指定响应类型为混合模式 | ||
options.SaveTokens = true; //保存访问令牌和刷新令牌 | ||
options.GetClaimsFromUserInfoEndpoint = true; //从用户信息端点获取声明 | ||
options.Scope.Add("api1"); //添加访问范围 | ||
options.Scope.Add("offline_access"); //添加离线访问范围 | ||
}); | ||
``` | ||
|
||
## 2. 问题 | ||
在应用升级到.net8后,在identityserver4登录成功后跳转回应用的时候报错; | ||
```chsarp | ||
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12] | ||
AuthenticationScheme: OpenIdConnect was challenged. | ||
warn: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15] | ||
'.AspNetCore.Correlation.jYHghatkRZxADBgSdV3xxbycWBMMTZEEvtNAlaHyleY' cookie not found. | ||
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[4] | ||
Error from RemoteAuthentication: Correlation failed.. | ||
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1] | ||
An unhandled exception has occurred while executing the request. | ||
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login. | ||
``` | ||
|
||
这个错误已经不是第一次出现;第一次出现这个错误还是在chrome 86版本修改cookie的SameSite默认值,之前使用SameSite=Unspecified解决了这个问题; | ||
```csharp | ||
options.SameSite = SameSiteMode.Unspecified; | ||
``` | ||
|
||
没想到升级.net8又出现了,当时还以为.net7也有这个问题,只是没发现,回退到.net7确实又没报错了,没办法只能通过对比两个版本的CookieOptions的值,期待有所收获,万万没想到真的是CookieOptions的Secure的默认值从false改成了true造成的,所以解决问题的代码变成了如下代码: | ||
|
||
```csharp | ||
options.SameSite = SameSiteMode.Unspecified; | ||
options.Secure = false; | ||
``` | ||
|
||
## Cookie 属性学习 | ||
第一次遇到SameSite的问题,就简单的看了一下关于SameSite值域的一些解释,并没有将Cookie的其他属性一起看一下,这次借着这个机会重新学习一下其他的Cookie的属性。 | ||
* Domain | ||
程序写入的Cookie可以被哪些主机访问,如果不指定就是本域名,如果指定子域名也可;外网一般用域名,博主从事医疗行业基本都是内网,所以这里的域名对于博主来说就是IP。值得注意的是这里的Domain是指的IP,所以两个应用使用同一个IP的不同端口,Cookie也是可以访问的。 | ||
* Path | ||
哪些路径会带上Cookie,比如指定`Path=/admin`,那么`/admin/index|/admin/login`会携带Cookie而`/home/index`则不会携带Cookie,但是在写入cookie的时候请求的URL也必须包含`/admin`这个路径下,比如`/admin/login`合法,`/account/login`不合法。 | ||
* SameSite | ||
针对CSRF攻击的一种保护措施,指定浏览器是否能够跨站点发送Cookie(比如在A站点提交一个表单到B站点),有三个可选值:Strict(仅发送到它来源的站点)、Lax(可以跨站点发送,但是有限制)、None(完全没限制,但是需要https)。 | ||
* Secure | ||
设置了Secure属性,Cookie就只能在https下才能访问。 | ||
* HttpOnly | ||
这个httponly不是http与https,是说cookie只能在http请求中被访问,而不是在js中被访问。 | ||
|
||
[Http Cookie 教程](https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Cookies) | ||
[在 ASP.NET Core 中使用 SameSite cookie](https://learn.microsoft.com/zh-cn/aspnet/core/security/samesite?view=aspnetcore-8.0) |