我已经使用来自https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-的 Microsoft.Identity.Web 设置了一个小型 ASP.NET Core v3 webapp WebApp-OIDC
这工作正常。但是,当我以 userA 身份登录,然后从我们的 Azure AD 中删除该用户时,该用户仍保持登录状态。如何伪造我的应用程序以定期检查该用户是否仍然存在或他的角色是否已更改?
从Azure AD auth 的 Cookie 未过期,我知道我可以设置OpenIdConnectOptions.UseTokenLifetime = false和CookieAuthenticationOptions.ExpireTimeSpan. 但我没有这些选项,因为(我认为)这是由 Microsoft.Identity.Web 处理的。
这是我的startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
// Start update
services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
options.UseTokenLifetime = true;
});
services.Configure<CookieAuthenticationOptions>(AzureADDefaults.CookieScheme, options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
options.SlidingExpiration = false;
});
// End update
services.AddControllersWithViews(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
services.AddRazorPages();
}
我应该添加OpenIdConnectOptionsandCookieAuthenticationOptions吗?
更新:提琴手响应
https://localhost:44321/AzureAD/Account/SignIn:
Response sent 393 bytes of Cookie data:
Set-Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8DuK51tOHitCik75v2S8iWxKHxTWbTuVHpn..tFRI_4=N; expires=Mon, 18 Nov 2019 15:46:01 GMT; path=/signin-oidc; secure; httponly
Response sent 159 bytes of Cookie data:
Set-Cookie: .AspNetCore.Correlation.AzureADOpenID.391z3h71jwDryPN3B-AdSG0heYONqHJl1CVSVXQTEvA=N; expires=Mon, 18 Nov 2019 15:46:01 GMT; path=/signin-oidc; secure; httponly
https://login.microsoftonline.com/4723a546-001 ...:
Response sent 1012 bytes of Cookie data:
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj7uwP...mnvoIAAgAEAA8AEAAA; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 344 bytes of Cookie data:
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj7wC-ZyhIlRLoQ...AAIABAACAAAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Response sent 46 bytes of Cookie data:
Set-Cookie: ESTSAUTHLIGHT=+; path=/; secure; SameSite=None
Response sent 151 bytes of Cookie data:
Set-Cookie: ch=5skAXHVPUQU3cW85sv9gWKffR4iIPEUy-ft0Wus--nw; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:00 GMT; path=/; secure; SameSite=None
Response sent 50 bytes of Cookie data:
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Response sent 291 bytes of Cookie data:
Set-Cookie: buid=AQABAAEAAACQN9QBRU3jT6bcBQLZNUj7TWvsgdEJ-MOKclE...UnPupXv2kGSxsgAA; expires=Wed, 18-Dec-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 1831 bytes of Cookie data:
Set-Cookie: CCState=Q2xJS1FHZGxaWEowYUdWa1pHVkFjM1ZpWVdSMmFXVnpM...reFV1VkFBRT0=; domain=.login.microsoftonline.com; expires=Thu, 28-Nov-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 171 bytes of Cookie data:
Set-Cookie: fpc=AoAEjBaP4a5AlJE4o0Jin2Ps2YtHAQAAAOmvZNUOAAAAg2kmAwIAAAC8r2TVDgAAADvINqwBAAAA2K9k1Q4AAAA; expires=Wed, 18-Dec-2019 15:31:00 GMT; path=/; secure; HttpOnly; SameSite=None
https://login.microsoftonline.com/4723a546-001../login HTTP/1.1:
Response sent 1012 bytes of Cookie data:
Set-Cookie: ESTSAUTHPERSISTENT=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj...IAAgAEAA8AEAAA; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 728 bytes of Cookie data:
Set-Cookie: ESTSAUTH=AQABAAQAAACQN9QBRU3jT6bcBQLZNUj77qVSa5EFK...BAAEABAAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Response sent 82 bytes of Cookie data:
Set-Cookie: ESTSAUTHLIGHT=+d4f06d0f-8cba-42f7-81cd-a996d96fcbce; path=/; secure; SameSite=None
Response sent 151 bytes of Cookie data:
Set-Cookie: ch=o3kjZd2rB2j31dip8OtCMqqwRWCB2vyRziEz796WfUE; domain=.login.microsoftonline.com; expires=Sun, 16-Feb-2020 15:31:18 GMT; path=/; secure; SameSite=None
Response sent 50 bytes of Cookie data:
Set-Cookie: ESTSSC=00; path=/; secure; HttpOnly; SameSite=None
Response sent 291 bytes of Cookie data:
Set-Cookie: buid=AQABAAEAAACQN9QBRU3jT6bcBQLZNUj7jiDQCSTiR0kg-...V2qP5AgAA; expires=Wed, 18-Dec-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 1831 bytes of Cookie data:
Set-Cookie: CCState=Q2xJS1FHZGxaWEowYUdWa1pHVkFjM1ZpWVdSMmFXVn...NiOEFBRT0=; domain=.login.microsoftonline.com; expires=Thu, 28-Nov-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 171 bytes of Cookie data:
Set-Cookie: fpc=AoAEjBaP4a5AlJE4o0Jin2Ps2YtHAQAAAOmvZNUOAAAAg2...AA; expires=Wed, 18-Dec-2019 15:31:18 GMT; path=/; secure; HttpOnly; SameSite=None
Response sent 66 bytes of Cookie data:
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; SameSite=None; secure; HttpOnly
Response sent 47 bytes of Cookie data:
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
更新 2:
我的 Startup.cs 中的更改现在似乎确实有效。我以 UserC 身份登录,然后从 AAD 中删除此用户。一个小时后,当我更改页面时,我需要再次登录。这当然失败了。小时有点奇怪,因为我设置ExpireTimeSpan为 10 分钟。但我已经很高兴用户得到检查。
一个旁注:当我现在重新启动我的应用程序时,它直接重定向到 login.live.com 并要求我输入密码,但我无法更改用户名!
在 URL 中,我将用户名视为参数,当我将其删除时,它确实要求我输入用户名。但是当我使用另一个帐户时,它一直说我的密码不正确。很可能是因为它使用的是我的个人版本而不是我的工作版本。我无法更改此设置,因此我无法再登录自己的应用程序。
另一个巨大的缺点是我还使用我的管理员帐户登录了 Azure 门户。第二天早上,在重新启动我的笔记本电脑并重新打开 Chrome 并恢复我的选项卡(包括 Azure 门户的选项卡)后,我现在以我在应用程序中使用的用户身份登录。为什么??当该用户被删除时,我无法再登录到 Azure 门户。很可能是因为它使用的是我的个人版本而不是我的商业版本。
我不确定是否应该继续为我的新应用程序使用 Microsoft Identity Platform。到目前为止,它对我来说弊大于利。