asp.net – Ajax上的Identity Server 3 – 401而不是302

发布时间：2020-05-22 20:02:59 所属栏目：asp.Net 来源：互联网

导读：我有一个web api / mvc混合应用程序,我已将其配置为使用cookie身份验证.这适用于应用程序的mvc部分. web api确实强制执行授权,但不返回401 – Unauthorized它返回302 – Found并重定向到登录页面.我宁愿它返回401.我试图挂钩到CookieAuthenticationProvider.O

我有一个web api / mvc混合应用程序,我已将其配置为使用cookie身份验证.这适用于应用程序的mvc部分. web api确实强制执行授权,但不返回401 – Unauthorized它返回302 – Found并重定向到登录页面.我宁愿它返回401.我试图挂钩到CookieAuthenticationProvider.OnApplyRedirect委托,但似乎没有调用.我错过了什么？我目前的设置如下：

AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string,string>();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",ExpireTimeSpan = TimeSpan.FromMinutes(20),SlidingExpiration = true,CookieHttpOnly = true,CookieSecure = CookieSecureOption.Never,//local non ssl-dev only
    Provider = new CookieAuthenticationProvider
    {
        OnApplyRedirect = ctx =>
        {
            if (!IsAjaxRequest(ctx.Request))
            {
                ctx.Response.Redirect(ctx.RedirectUri);
            }
        }
    }
});

app.USEOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = IdentityConfig.Authority,ClientId = IdentityConfig.SoftwareClientId,Scope = "openid profile roles",RedirectUri = IdentityConfig.RedirectUri,ResponseType = "id_token",SignInAsAuthenticationType = "Cookies"
});

解决方法

在您的示例中,UseCookieAuthentication不再对此进行控制,而是使用USEOpenIdConnectAuthentication.这涉及使用Notifications属性并拦截OpenID Connect身份验证请求.

尝试以下灵感：

app.USEOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = IdentityConfig.Authority,SignInAsAuthenticationType = "Cookies",Notifications = new OpenIdConnectAuthenticationNotifications
    {
        RedirectToIdentityProvider = notification =>
        {
            if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
            {
                if (IsAjaxRequest(notification.Request) && notification.Response.StatusCode == (int)HttpStatusCode.Unauthorized)
                {
                    notification.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                    notification.HandleResponse();
                    return Task.FromResult(0);
                }
            }
            return Task.FromResult(0);
        }
    }
});

（编辑：安卓应用网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!