Custom UserService не работает, когда позади loadbalancer
У нас есть Identityserver v3 с пользовательским сервисом UserService с двухфакторной аутентификацией за балансировщиком нагрузки. Он работает на моей машине:-), но не работает парциальная проверка подлинности при развертывании в среде с балансировкой нагрузки (я не уверен, что это связано с балансировкой нагрузки, я просто предполагаю, что у нас v2 также работает на тех же серверах - проблем там нет).
Я использую сертификат из примера impl и использую RequireSSL=false (http за loadbalancer)
В моем TwoFactorController я печатаю некоторую отладку, может это поможет?
Trace.WriteLine(JsonConvert.SerializeObject(ctx.Authentication.User));
var authentication = await ctx.Authentication.AuthenticateAsync(Constants.PartialSignInAuthenticationType);
// Problem is that this is null
if (authentication == null)
{
return View("Error");
}
Tracelog:
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:47 +00:00 -- Start discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start key discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:24:48 +00:00 -- Start authorize request protocol validation
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:25:01 +00:00 -- Authorize request validation success
{
"ClientId": "MvcTest1",
"ClientName": "MvcTest1",
"RedirectUri": "https://smi-test.myserver.net/TestMVC/",
"AllowedRedirectUris": [
"https://localhost:44311/TestMVC/",
"https://smi-test.myserver.net/TestMVC/"
],
"SubjectId": "unknown",
"ResponseType": "id_token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "sse_roles smi_profile openid profile",
"State": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
"Nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
"Raw": {
"client_id": "MvcTest1",
"redirect_uri": "https://smi-test.myserver.net/TestMVC/",
"response_mode": "form_post",
"response_type": "id_token",
"scope": "sse_roles smi_profile openid profile",
"state": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
"nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5"
}
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.AuthorizeInteractionResponseGenerator]: 20.05.2015 13:25:01 +00:00 -- User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:25:01 +00:00 -- End authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Results.LoginResult]: 20.05.2015 13:25:01 +00:00 -- Redirecting to login page
Debug: [Thinktecture.IdentityServer.Core.Configuration.Hosting.MessageCookie`1]: 20.05.2015 13:25:01 +00:00 -- Protecting message: {"ReturnUrl":"http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5","ClientId":"MvcTest1","AcrValues":[],"Created":635677250886418395}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- Login page requested
Debug: [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- signin message passed to login: {
"ReturnUrl": "http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
"ClientId": "MvcTest1",
"IdP": null,
"Tenant": null,
"LoginHint": null,
"DisplayMode": null,
"UiLocales": null,
"AcrValues": [],
"Created": 635677250886418395
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- rendering login page
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login page submitted
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login credentials successfully validated by user service
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- issuing cookie (partial login)
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- redirecting to: http://test.myserver.net/STSv3/TwoFactor/Index
w3wp.exe Information: 0 : TwoFactorController JsonConvert.SerializeObject(ctx.Authentication.User):
{"Claims":[],"Identities":[{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}],"Identity":{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}}
Обновление Я удалил частичный вход в систему, но все еще не работает. Это последняя запись в журнале от IdServer
[Thinktecture.IdentityServer.Core.Results.AuthorizeFormPostResult]: 21.05.2015 07:54:35 +00:00 -- Posting to https://smi-test.myserver.net/TestMVC/
И в браузере содержимое пустое, но заголовок гласит: "Подать эту форму". URL браузера:
https://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DIxrlCyPTeXy89E1BwspOh64Hu66D0vrJ5T3y8FwdzpWIKQQZY.....
Update2 Проверка формы отправки, и похоже, что скрипт заблокирован политикой безопасности контента
На странице https://smi-test.myserver.net/STSv3/connect/authorize загружается скрипт
<script src="http://smi-test.myserver.net/STSv3/assets/app.FormPostResponse.js"></script>
Как изменить это, чтобы быть https?
Larsi
1 ответ
Решение
Проблема решена при установке этого свойства:
PublicOrigin
Некоторая дополнительная информация по этой проблеме может быть найдена в этой проблеме