Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS

huangapple go评论81阅读模式
英文:

Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS

问题

我有两个示例项目,一个用于Duende Identity Server,另一个用于Blazor WebAssembly项目,它们都是使用.NET 7编写的,我们正在使用最新版本的Duende Identity服务器与**BFF(Backend For Frontend)**协议。

问题:

当我们在权威和客户端和服务器的所有地址都使用HTTPS时,没有问题!我们可以在Blazor客户端应用程序中成功进行身份验证和授权。

但是在使用HTTP时出现问题:

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

我知道我们必须在生产中使用HTTPS,但现在我们处于开发阶段,应该能够在开发中执行此操作。

公共存储库:

您可以在公共存储库中找到这些项目:
https://github.com/miladashrafi/binande

重现问题的步骤:

只需克隆存储库并运行以下两个项目:

  • Binande.Identity
  • Binande.Admin.Server

在HTTPS模式下查看没有问题的步骤:

  1. 在两个项目的launchSettings.json中将URL从HTTP更改为HTTPS

Binande.Admin.Server:

"applicationUrl": "https://localhost:5002"

Binande.Identity:

"applicationUrl": "https://localhost:5001"
  1. IdentityServerConfig.cs中更改interactive.confidential客户端的URL:

Binande.Identity:

RedirectUris = { "https://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:5002" },
  1. 在Binande.Identity项目的Program.cs中更改权威URL:
options.Authority = "https://localhost:5001";

现在它正常工作!

问题:

问题是:如何在开发环境中使用HTTP模式而不是HTTPS?

注意:

我们在Cookie策略和配置中具有options.RequireHttpsMetadata = false;options.Cookie.SameSite = SameSiteMode.Lax;以及options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;

感谢任何帮助。

英文:

I have two sample projects, one for Duende Identity Server and another for Blazor WebAssembly project, they are both writen by .NET 7 and we are using latest release of Duende Identity server with BFF(Backend For Frontend) protocol.


The problem:

When we use HTTPS for authority and all addresses for both client and server there is no problem! and we can successfully authenticate and authorize in Blazor Client app.

But we have problem when using HTTP:

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

I know that we have to use HTTPS in production, but now we are in development and we should have been able to do it in development.


Public repository:

You can find the projects in public repository:
https://github.com/miladashrafi/binande


Steps to reproduce the problem:

Just clone the repository and run both following projects:

Binande.Identity
Binande.Admin.Server

Steps to see that there is no problem in HTTPS mode:

1- Change urls from HTTP to HTTPS in both projects launchSettings.json

Binande.Admin.Server:

"applicationUrl": "https://localhost:5002"

Binande.Identity:

"applicationUrl": "https://localhost:5001"

2- Change urls of interactive.confidential client in IdentityServerConfig.cs:

Binande.Identity:

RedirectUris = { "https://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:5002" },

3- Change the Authority url of Program.cs in Binande.Identity project:

options.Authority = "https://localhost:5001";

Now it's working fine!


Question:

The question is: how to have this in HTTP mode instead of HTTPS in development environment?


Note:

We have options.RequireHttpsMetadata = false; and options.Cookie.SameSite = SameSiteMode.Lax; and options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; in cookie policies and configuration.

Thank you for any help

答案1

得分: 1

我发现问题了,你的 Cookie 名称似乎不符合其限制条件,更改后可以正常进行验证。

更改你的 Cookie 名称:

options.Cookie.Name = "Host-blazor";

测试结果:

Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS

它对以 __Host-__Secure- 为前缀的名称有一些限制。更多详情,请查看此链接中的 Cookie 前缀 部分。

英文:

I found the problem, your cookie name does not seem to meet its restrictions, after changing it can be authenticated normally.

Chang your cookie name:

options.Cookie.Name = "Host-blazor";

Test Result:
Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS
It has some restrictions on __Host- and __Secure- prefixed names. For more details, you can check the Cookie prefixes section in this link.

huangapple
  • 本文由 发表于 2023年5月31日 23:36:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76375183.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定