在我的应用程序中,我让用户登录到保管箱,当该过程完成后,它使用 SessionAuthenticationModule 将声明写入 fedauth cookie。
var sam = FederatedAuthentication.SessionAuthenticationModule;
if (sam != null)
{
// (ClaimsPrincipal.Current.Identity as ClaimsIdentity).AddClaim(new Claim("Provider", "Dropbox"));
var cp = new ClaimsPrincipal(new ClaimsIdentity(new List<Claim> { new Claim("Provider", "Dropbox") }, "OAuth"));
var transformer = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager;
if (transformer != null)
{
cp = transformer.Authenticate(String.Empty, cp);
}
var token = new SessionSecurityToken(cp);
sam.WriteSessionTokenToCookie(token);
}
声明已写入,当提出新请求时,用户已通过身份验证并且声明正在运行。
我的问题是,如果用户通过导航到以下登录 URL 之一开始使用 Azure ACS 进行身份验证过程:
https://s-innovations.accesscontrol.windows.net/v2/metadata/identityProviders.js?protocol=wsfederation&realm=http://77.75.160.102:2638/&version=1.0&callback=ShowSigninPage
当 STS 返回我的站点时,我得到一个异常:
The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. ]
System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength) +10545309
System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) +130
System.Convert.FromBase64String(String s) +41
System.IdentityModel.Services.ChunkedCookieHandler.ReadInternal(String name, HttpCookieCollection requestCookies) +350
System.IdentityModel.Services.ChunkedCookieHandler.ReadCore(String name, HttpContext context) +45
System.IdentityModel.Services.CookieHandler.Read(String name, HttpContext context) +74
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +126
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +116
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
如果过程相反,请先通过 Azure ACS 登录,然后再通过保管箱登录。一切正常。Dropbox 声明正在覆盖 Azure ACS 声明。这让我认为我在开始使用 SAM 编写 cookie 的代码片段中有错误?
更新
我刚刚发现,当不使用 MachineKeySessionSecurityTokenHandler 时它可以工作。
<securityTokenHandlers>
<!--<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />-->
<!--<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />-->
</securityTokenHandlers>
知道如何更改我的代码以支持 MachineKeySessionSecurityTokenHandler。