2

我不确定这是否是在 OIDC 或 apache 中处理的,但我看到的是这个,希望得到一些建议:

客户登录到多个 Google 帐户并在帐户选择器中点击了错误的帐户,他们得到了 401 Unauthorized

然后他们尝试返回 OIDC 服务器并继续获取未经授权的信息。即使他们清除 cookie 等也是如此。

我能让他们重新登录的唯一可靠方法是他们在 Safari 中打开一个私人窗口或在 Chrome 中打开另一个个性。

有没有办法让 401 重定向到 Google 帐户选择器,然后允许 apache 重试?基本上,一旦他们从 apache 获得 401 - 通过 openidc - 就没有好方法再次重新验证。有没有办法让人们更容易重试登录?

提前致谢。我的配置如下:

<VirtualHost _default_:443>
   ServerName nameofserver.com
   ServerAdmin ops@nameofserver.com
   DocumentRoot /var/www/html
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
   SetEnvIf Origin "^(.*\.nameofserver\.co,)$" ORIGIN_SUB_DOMAIN=$1
   Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
   Header always set Access-Control-Allow-Credentials "true"
   ErrorDocument 503 "A custom error message"
   RequestHeader set X-Forwarded-Proto "https" early
   LimitRequestFieldSize 65000

   SSLEngine on
   SSLCertificateFile /etc/apache2/pathtoprivcert
   SSLCertificateKeyFile /etc/apache2/ssl/pathtoprivkey
   SSLProtocol             TLSv1.1 TLSv1.2
   SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
   SSLHonorCipherOrder     on
   SSLCompression          off

   OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
   OIDCClientID clientIDfromGoogle@google.com
   OIDCClientSecret Averysecrtkey

   OIDCScope "openid email profile"
   OIDCRedirectURI https://www.nameofserver.com/oauth2callback
   OIDCCryptoPassphrase Alsoverysecurekey

   OIDCSessionInactivityTimeout 86400

   OIDCCookiePath /

   OIDCRemoteUserClaim email
   OIDCAuthNHeader X-Forwarded-User

   LogLevel info


   <Proxy balancer://http-nameofserver>
     BalancerMember http://www1.nameofserver.com route=0
     BalancerMember http://www2.nameofserver.com route=1
     BalancerMember http://www3.nameofserver.com route=2

     ProxySet lbmethod=byrequests
     ProxySet stickysession=ROUTEID
     ProxySet failonstatus=503
     ProxySet maxattempts=2
   </Proxy>

   <Proxy balancer://ws-nameofserver>
     BalancerMember ws://www1.nameofserver.com route=0
     BalancerMember ws://www2.nameofserver.com route=1
     BalancerMember ws://www3.nameofserver.com route=2

     ProxySet lbmethod=byrequests
     ProxySet stickysession=ROUTEID
     ProxySet failonstatus=503
     ProxySet maxattempts=2
   </Proxy>


   RewriteEngine On
   RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
   RewriteCond %{QUERY_STRING} transport=websocket    [NC]
   RewriteRule /(.*) balancer://ws-nameofserver/$1 [P,L]

   ProxyPreserveHost on
   ProxyPass / balancer://http-nameofserver/
   ProxyPassReverse / balancer://http-nameofserver/
   ProxyPass /socket.io/ balancer://ws-nameofserver/socket.io/
   ProxyPassReverse /socket.io/ balancer://ws-nameofserver/socket.io/

   ProxyRequests     Off
   AllowEncodedSlashes NoDecode

      <Location />
         AuthType openid-connect
         Require host somealloweddomain.com
         Require claim hd:corpsite.com
         Require claim hd:someotherdomain.com
         Require claim hd:yetanothercompany.com
      </Location>

      <LocationMatch "^(?!/t/|/an-url|/another-url|/lasturl)/[^/]+">
         OIDCUnAuthAction 401
      </LocationMatch>

</VirtualHost>
4

1 回答 1

1

您可以在身份验证请求中添加自定义参数prompt=select_account,如下所述: https ://github.com/pingidentity/mod_auth_openidc/wiki#13-how-can-i-add-custom-parameters-to-the-authorization-request

所以在你的情况下添加:

OIDCAuthRequestParams prompt=select_account
于 2016-02-21T08:37:16.800 回答