英文:
Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS
问题
我有两个示例项目,一个用于Duende Identity Server,另一个用于Blazor WebAssembly项目,它们都是使用.NET 7编写的,我们正在使用最新版本的Duende Identity服务器与**BFF(Backend For Frontend)**协议。
问题:
当我们在权威和客户端和服务器的所有地址都使用HTTPS时,没有问题!我们可以在Blazor客户端应用程序中成功进行身份验证和授权。
但是在使用HTTP时出现问题:
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
我知道我们必须在生产中使用HTTPS,但现在我们处于开发阶段,应该能够在开发中执行此操作。
公共存储库:
您可以在公共存储库中找到这些项目:
https://github.com/miladashrafi/binande
重现问题的步骤:
只需克隆存储库并运行以下两个项目:
- Binande.Identity
- Binande.Admin.Server
在HTTPS模式下查看没有问题的步骤:
- 在两个项目的launchSettings.json中将URL从HTTP更改为HTTPS
Binande.Admin.Server:
"applicationUrl": "https://localhost:5002"
Binande.Identity:
"applicationUrl": "https://localhost:5001"
- 在IdentityServerConfig.cs中更改interactive.confidential客户端的URL:
Binande.Identity:
RedirectUris = { "https://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:5002" },
- 在Binande.Identity项目的Program.cs中更改权威URL:
options.Authority = "https://localhost:5001";
现在它正常工作!
问题:
问题是:如何在开发环境中使用HTTP模式而不是HTTPS?
注意:
我们在Cookie策略和配置中具有options.RequireHttpsMetadata = false;和options.Cookie.SameSite = SameSiteMode.Lax;以及options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;。
感谢任何帮助。
英文:
I have two sample projects, one for Duende Identity Server and another for Blazor WebAssembly project, they are both writen by .NET 7 and we are using latest release of Duende Identity server with BFF(Backend For Frontend) protocol.
The problem:
When we use HTTPS for authority and all addresses for both client and server there is no problem! and we can successfully authenticate and authorize in Blazor Client app.
But we have problem when using HTTP:
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
I know that we have to use HTTPS in production, but now we are in development and we should have been able to do it in development.
Public repository:
You can find the projects in public repository:
https://github.com/miladashrafi/binande
Steps to reproduce the problem:
Just clone the repository and run both following projects:
Binande.Identity
Binande.Admin.Server
Steps to see that there is no problem in HTTPS mode:
1- Change urls from HTTP to HTTPS in both projects launchSettings.json
Binande.Admin.Server:
"applicationUrl": "https://localhost:5002"
Binande.Identity:
"applicationUrl": "https://localhost:5001"
2- Change urls of interactive.confidential client in IdentityServerConfig.cs:
Binande.Identity:
RedirectUris = { "https://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:5002" },
3- Change the Authority url of Program.cs in Binande.Identity project:
options.Authority = "https://localhost:5001";
Now it's working fine!
Question:
The question is: how to have this in HTTP mode instead of HTTPS in development environment?
Note:
We have options.RequireHttpsMetadata = false; and options.Cookie.SameSite = SameSiteMode.Lax; and options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; in cookie policies and configuration.
Thank you for any help
答案1
得分: 1
我发现问题了,你的 Cookie 名称似乎不符合其限制条件,更改后可以正常进行验证。
更改你的 Cookie 名称:
options.Cookie.Name = "Host-blazor";
测试结果:
它对以 __Host- 和 __Secure- 为前缀的名称有一些限制。更多详情,请查看此链接中的 Cookie 前缀 部分。
英文:
I found the problem, your cookie name does not seem to meet its restrictions, after changing it can be authenticated normally.
Chang your cookie name:
options.Cookie.Name = "Host-blazor";
Test Result:
It has some restrictions on __Host- and __Secure- prefixed names. For more details, you can check the Cookie prefixes section in this link.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论