这与我之前提出的这个问题有关。可悲的是,我仍然有这个问题。
我的问题如下:
- 使用 2 个帐户登录 Microsoft。例如,转到 Azure 门户并使用 1 个帐户登录,然后使用另一个帐户登录。
- 转到我的应用程序。选择您要登录的帐户,因为您可以选择 2 个不同的帐户。您立即登录。
- 登出。您必须选择要注销的帐户。不管是哪一个。
- 您现在处于无限重定向循环中,直到 MS 登录屏幕道歉它无法让您登录。
- 如果你现在去我的网络应用程序,你已经登录了。所以不知何故设置了 cookie,只是重定向似乎失败了?我在日志中找不到任何关于此的内容。
有趣的是,初始登录适用于任何浏览器。根本没有登录,去我的网络应用程序,登录,注销,然后再次登录似乎工作。只是这种奇怪的场景不适用于 Safari 14。
当我将我的应用程序 cookie 更改为 SameSite None 时,它确实有效。但我对这个结果并不满意。我有其他应用程序具有基本相同的身份验证设置,其中应用程序 cookie 为 Lax,而身份验证 cookie (如随机数、相关性等)具有默认设置并使用 SameSite None。
我有一个使用 .NET 5、Angular 11 和最新最好的 Microsoft Identity Web 库的 BFF 项目。我们使用 Azure Active Directory 登录。
我的身份验证代码如下所示:
// Read up on SameSite cookies for more information:
// Copied from https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/f8a37e010cacbc48b63e7d8b875b18b9a2c17313/1-WebApp-OIDC/1-1-MyOrg/Startup.cs
// https://github.com/AzureAD/microsoft-identity-web/wiki/SameSite-Cookies
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
// Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
options.HandleSameSiteCookieCompatibility();
});
// We use these custom cookie, ticket and token settings to avoid them being set as session tokens, which AddMicrosoftIdentityWebAppAuthentication() would do by default.
// With these settings they are valid for 90 days which means that even if you logged out of your account somewhere else, you'd still be logged in here.
// The problem with session cookies is that the app is installable as a PWA and if you were to end your session by closing your browser and/or log out somewhere else, you'd have to log in again constantly.
// This is actually a feature of single sign out, but could also be annoying for the user.
// TODO: Perhaps we could investigate a while after launch if users would prefer real single sign out, which would mean using session cookies.
services.Configure<CookieAuthenticationOptions>(WellKnownAuthenticationSchemes.CookieName, opt =>
{
opt.Cookie.IsEssential = true;
opt.Cookie.Name = "cookie_name";
opt.Cookie.SameSite = SameSiteMode.Lax;
opt.Cookie.SecurePolicy = Environment.IsDevelopment()
? CookieSecurePolicy.SameAsRequest
: CookieSecurePolicy.Always;
opt.Cookie.HttpOnly = true;
opt.SlidingExpiration = true;
opt.ExpireTimeSpan = TimeSpan.FromDays(90);
});
services.Configure<MicrosoftIdentityOptions>(opt =>
{
opt.Events.OnTicketReceived = context =>
{
// Mark the authentication properties as persistent, so the cookie expiration settings will be applied
context.Properties.IsPersistent = true;
return Task.CompletedTask;
};
});
services.Configure<MsalDistributedTokenCacheAdapterOptions>(opt =>
{
opt.SlidingExpiration = TimeSpan.FromDays(90);
});
if (Configuration.GetValue("Features:UseDistributedCache", false))
{
var connectionString = Configuration.GetConnectionString("DistributedSqlCache");
services.AddDistributedSqlServerCache(options =>
{
options.ConnectionString = connectionString;
options.TableName = "DistributedCache";
options.SchemaName = "cache";
});
}
services.AddAuthentication(WellKnownAuthenticationSchemes.CookieName);
services
.AddMicrosoftIdentityWebAppAuthentication(Configuration,
cookieScheme: WellKnownAuthenticationSchemes.CookieName)
.EnableTokenAcquisitionToCallDownstreamApi(Configuration.GetValue<string>("Scopes").Split(" "))
.AddDistributedTokenCaches();
var dataProtectionBuilder = services.AddDataProtection();
if (Configuration.GetValue("Features:PersistDataProtectionToDisk", false))
{
dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(Configuration.GetValue<string>("DataProtection:Path")));
}
登出:
// Note: The SPA has a <form method="POST" action="/logout"> which activates this.
[HttpPost("/logout")]
public IActionResult Logout()
{
return SignOut(new AuthenticationProperties
{
RedirectUri = "/"
}, WellKnownAuthenticationSchemes.CookieName, WellKnownAuthenticationSchemes.OpenIdConnect);
}
有谁知道我是否可以继续使用 Lax?或者为什么 Lax 可以在其他应用程序中工作,但在这里却不行?