RequireNonce is 'true' (default) but validationContext.Nonce is null in Azure Traffic Manager , OpenIdConnectAuthentication

一世执手 提交于 2020-01-24 23:32:51

问题


I have my website(Azure App Service) deployed in two regions under Microsoft Azure . https://abcd1-westus.azurewebsites.net/
https://abcd2-centralus.azurewebsites.net/
I created a Traffic Manager Profile to control the distribution of user traffic for service endpoints. The DNS Name of Traffic Manager Profile is "http://abcd.trafficmanager.net" Authentication is done by Azure AD . Once we are trying to access Traffic Manager DNS Url , it prompts for AAD login and redirect to https://abcd2.azurewebsites.net and the yellow page error comes up

"IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."

If I open individual website url it works perfectly. I have used the below code in StartUp.Auth.cs. I am using Microsoft.Owin.Security.OpenIdConnect , Version 3.1.0.0

public partial class Startup
{
    string secretKey = ConfigurationManager.AppSettings["AppKey"];
    string clientId = ConfigurationManager.AppSettings["ClientId"];
    string authority = ConfigurationManager.AppSettings["Authority"];
    string resource = ConfigurationManager.AppSettings["Resource"];
    string redirectUri = ConfigurationManager.AppSettings["RedirectUri"];
    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                RedirectUri = redirectUri,
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = async n => {
                        n.ProtocolMessage.RedirectUri = n.OwinContext.Request.Uri.ToString();
                    },
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived
                }
            });
    }

    private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        var code = context.Code;
        ClientCredential credential = new ClientCredential(clientId, secretKey);
        string userObjectID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
        AuthenticationContext authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectID));
        Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
        AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, credential, resource);
    }
}

Please help me to resolve this issue. Production is close :(


回答1:


The problem is you can't mix the traffic manager URL and the Web App URLs.

The nonce cookie is set on the TM domain and the redirect back comes on a different domain. So the nonce cookie is not found.

So the URL the user sees in the address bar should be the same all the time. If they access the site over https://abc.trafficmanager.net, then Azure AD needs to redirect them to https://abc.trafficmanager.net after authentication. It must not use the azurewebsites.net URL at any time.



来源:https://stackoverflow.com/questions/49418562/requirenonce-is-true-default-but-validationcontext-nonce-is-null-in-azure-tr

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!