IdentityServer3，Azure Active Directory外部提供程序，消息='Action returned'System.Web.Http.Results.Unauthorized''

Question

我看到IdentityServer3和外部提供程序有奇怪的行为。我希望有人能够指出我错过的东西。

摘要

第一外部登录请求设置浏览器等待只能通过记录退还，结果在下面看到的错误请求。如果我在浏览器中取消请求并立即再次点击该按钮，它将按预期工作，浏览器将被发送到外部登录屏幕。

---

配置

我根据一些参考和文档配置IDSrv3以及我能确定，利用Azure的Active Directory中。

var wsFedOptions = new WsFederationPluginOptions(options); 
    wsFedOptions.Factory.Register(new Registration<IEnumerable<RelyingParty>>(RelyingParties.Get())); 
    wsFedOptions.Factory.RelyingPartyService = new Registration<IRelyingPartyService>(typeof(InMemoryRelyingPartyService)); 
    app.UseWsFederationPlugin(wsFedOptions); 



var aad = new OpenIdConnectAuthenticationOptions 
      { 
       AuthenticationType = "AzureAd", 
       Caption = "Azure AD", 
       SignInAsAuthenticationType = signInAsType, 
       PostLogoutRedirectUri = Settings.LogoutRedirect, 
       Authority = Settings.AADAuthority, 
       ClientId = Settings.AADClientId, 
       RedirectUri = Settings.AADRedirectUrl 
      }; 

      app.UseOpenIdConnectAuthentication(aad); 

在登录视图中，我如上所述（Azure AD）提供了外部登录按钮。第一次点击这个按钮，浏览器只是等待主机...

在日志中，我发现了以下错误。

iisexpress.exe Information: 0 : 2017-04-05 08:28:09.708 -05:00 [Information] External login requested for provider: "AzureAd" 
iisexpress.exe Information: 0 : 2017-04-05 08:28:09.714 -05:00 [Information] Triggering challenge for external identity provider 
LibLog Information: 0 : [2017-04-05T13:28:09.7176576Z] Level=Info, Kind=End, Category='System.Web.Http.Action', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action returned 'System.Web.Http.Results.UnauthorizedResult'', Operation=ReflectedHttpActionDescriptor.ExecuteAsync 
LibLog Information: 0 : [2017-04-05T13:28:09.7206611Z] Level=Info, Kind=End, Category='System.Web.Http.Action', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=ApiControllerActionInvoker.InvokeActionAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7216630Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action filter for 'LoginExternal(String signin, String provider)'', Operation=NoCacheAttribute.OnActionExecutedAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7226640Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=NoCacheAttribute.OnActionExecutedAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7226640Z] Level=Info, Kind=Begin, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Action filter for 'LoginExternal(String signin, String provider)'', Operation=SecurityHeadersAttribute.OnActionExecutedAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7236655Z] Level=Info, Kind=End, Category='System.Web.Http.Filters', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=SecurityHeadersAttribute.OnActionExecutedAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7246669Z] Level=Info, Kind=End, Category='System.Web.Http.Controllers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=AuthenticationController.ExecuteAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7251836Z] Level=Info, Kind=End, Category='System.Web.Http.MessageHandlers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=PassiveAuthenticationMessageHandler.SendAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7261856Z] Level=Info, Kind=End, Category='System.Web.Http.MessageHandlers', Id=800000ad-0002-fb00-b63f-84710c7967bb, Operation=DependencyScopeHandler.SendAsync, Status=401 (Unauthorized) 
LibLog Information: 0 : [2017-04-05T13:28:09.7271879Z] Sending response, Status=401 (Unauthorized), Method=GET, Url=https://localhost:44396/identity/external?provider=AzureAd&signin=2d92dd18a6106c9b029eb8742d4117a1, Id=800000ad-0002-fb00-b63f-84710c7967bb, Message='Content-type='none', content-length=unknown' 

浏览器将无限期地继续在本地主机上等待。 如果我停止请求并立即再次点击按钮，一切都按预期工作。

Answer 1

原来这个问题与Katana OIDC MW中的死锁问题有关。 解决方法是创建自定义IConfigurationManager并在启动时手动获取元数据。与Thinktecture提出的类似。

https://github.com/IdentityServer/IdentityServer3/blob/master/source/Host.Configuration/Extensions/SyncConfigurationManager.cs

代OpenIdConnectConfiguration

var manager = new SyncConfigurationManager(new ConfigurationManager < OpenIdConnectConfiguration > (Settings.AADAuthority + "/.well-known/openid-configuration")); 

那么管理者添加到

    var aad = new OpenIdConnectAuthenticationOptions 
       { 
        AuthenticationType = "AzureAd", 
        Caption = "Marquis Azure AD", 
        SignInAsAuthenticationType = signInAsType, 
        PostLogoutRedirectUri = Settings.LogoutRedirect, 
        Authority = Settings.AADAuthority, 
        ClientId = Settings.AADClientId, 
        RedirectUri = Settings.AADRedirectUrl, 
        ConfigurationManager = manager 
       }; 

Answer 2

基于OpenIdConnectAuthenticationOptions代码似乎是正确的。我也是用下面的代码登录的IdentityServer3与Azure的AD帐户，它很适合我：

public class Startup 
{ 
    public void Configuration(IAppBuilder app) 
    { 
     Log.Logger = new LoggerConfiguration() 
      .MinimumLevel.Debug() 
      .WriteTo.Trace() 
      .CreateLogger(); 

     var users = new List<InMemoryUser>() 
     { 
      new InMemoryUser 
      { 
       Username="Jack", Password="Jack", 
       Claims= new List<Claim> 
       { 
        new Claim("name","Jack"), 
        new Claim("email","Jack@consoto.com"), 
        new Claim("role","Admin"), 
       } 
      } 
     }; 

     var clients = new Client[] 
     { 
      new Client 
      { 
       ClientId="mvc", 
       ClientName="MVC Demo Client", 
       Flow=Flows.Implicit, 
       RedirectUris=new List<string> 
       { 
        "http://localhost:9000", 
        "http://localhost:1409/" 
       }, 
       AllowedScopes=new List<string> 
       { 
        "openid","email","profile","roles" 
       } 
      } 
     }; 

     var scopes = new Scope[] 
      { 
       StandardScopes.OpenId, 
       StandardScopes.ProfileAlwaysInclude, 
       StandardScopes.EmailAlwaysInclude, 
       new Scope 
       { 
        Name="roles", 
        Claims=new List<ScopeClaim> 
        { 
         new ScopeClaim("role") 
        }, 
        Type=ScopeType.Identity 
       } 
      }; 

     var factory = new IdentityServerServiceFactory(); 
     factory.UseInMemoryClients(clients); 
     factory.UseInMemoryScopes(scopes); 
     factory.UseInMemoryUsers(users); 

     var cert = LoadCertificate(); 

     app.UseIdentityServer(new IdentityServerOptions 
     { 
      SiteName = "NDC Demo", 
      SigningCertificate = cert, 
      Factory = factory, 
      AuthenticationOptions = new AuthenticationOptions 
      { 
       IdentityProviders = ConfigureAdditionalIdentityProviders, 
       EnableAutoCallbackForFederatedSignout = true 
      } 
     }); 
    } 

    public static void ConfigureAdditionalIdentityProviders(IAppBuilder app, string signInAsType) 
    { 
     app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions 
     { 
      AuthenticationType = "aad", 
      Caption = "Azure AD", 
      SignInAsAuthenticationType = signInAsType, 

      Authority = "https://login.microsoftonline.com/04e14a2c-0e9b-42f8-8b22-3c4a2f1d8800", 
      ClientId = "eca61fd9-f491-4f03-a622-90837bbc1711", 
      RedirectUri = "https://localhost:44333/core/aadcb", 
     }); 
    } 

    static X509Certificate2 LoadCertificate() 
    { 
     var baseFolder = AppDomain.CurrentDomain.BaseDirectory; 
     string certificatePath = $"{baseFolder}\\Certificates\\mycompanyname.pfx"; 
     return new X509Certificate2(certificatePath, "", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet); 
    } 
} 

然后我们就可以用IdentityServer3互动与下面的要求：

https://localhost:44333/connect/authorize?response_type=id_token&client_id=mvc&redirect_uri=http://localhost:9000&scope=openid+email+profile+roles&nonce=123

请让我看看是否有帮助。