1
У нас есть Identityserver v3 с пользовательским сервисом UserService с 2-факторным аутентификатором за балансировщиком нагрузки. Он работает на моей машине :-), но partialSigninAuthentication терпит неудачу при развертывании в среде с балансировкой (я не уверен, связано ли это с loadbalaning, я просто предполагаю, что у нас есть v2, работающий на одних и тех же серверах - никаких проблем нет).Пользовательский UserService терпит неудачу, когда позади loadbalancer
Я использую сертификат от образца осущий и использовать RequireSSL = ЛОЖЬ (HTTP за loadbalancer)
В моем TwoFactorController напечатать некоторые отладки, может быть, это поможет?
Trace.WriteLine(JsonConvert.SerializeObject(ctx.Authentication.User));
var authentication = await ctx.Authentication.AuthenticateAsync(Constants.PartialSignInAuthenticationType);
// Problem is that this is null
if (authentication == null)
{
return View("Error");
}
Tracelog:
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:47 +00:00 -- Start discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.DiscoveryEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start key discovery request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:24:48 +00:00 -- Start authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:24:48 +00:00 -- Start authorize request protocol validation
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 20.05.2015 13:25:01 +00:00 -- Authorize request validation success
{
"ClientId": "MvcTest1",
"ClientName": "MvcTest1",
"RedirectUri": "https://smi-test.myserver.net/TestMVC/",
"AllowedRedirectUris": [
"https://localhost:44311/TestMVC/",
"https://smi-test.myserver.net/TestMVC/"
],
"SubjectId": "unknown",
"ResponseType": "id_token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "sse_roles smi_profile openid profile",
"State": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
"Nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
"Raw": {
"client_id": "MvcTest1",
"redirect_uri": "https://smi-test.myserver.net/TestMVC/",
"response_mode": "form_post",
"response_type": "id_token",
"scope": "sse_roles smi_profile openid profile",
"state": "OpenIdConnect.AuthenticationProperties=OoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M",
"nonce": "635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5"
}
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.AuthorizeInteractionResponseGenerator]: 20.05.2015 13:25:01 +00:00 -- User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 20.05.2015 13:25:01 +00:00 -- End authorize request
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Results.LoginResult]: 20.05.2015 13:25:01 +00:00 -- Redirecting to login page
Debug: [Thinktecture.IdentityServer.Core.Configuration.Hosting.MessageCookie`1]: 20.05.2015 13:25:01 +00:00 -- Protecting message: {"ReturnUrl":"http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5","ClientId":"MvcTest1","AcrValues":[],"Created":635677250886418395}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- Login page requested
Debug: [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- signin message passed to login: {
"ReturnUrl": "http://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DOoZ3B4sAgC2fqGquUN3Nqg4JH1YFJeG8hCzr1D5O_3nFY_KZpUz_bsg8syMLEeYAP5tFt4YtYspJ8nf97VBnHP0YZkXFAuZQtZpdyAlWUY2yOfpLFwndlIlR_HFfiv7M8ztr_WsP7TAS5tLXuqLTbjrN1Yz1I-bTQd8iO-I002oKqksH1riamKagZJt9O-a5gkG4srOqH53yCHUb9bHflbpw_p4A7k8N3LYISpEf26M&nonce=635677250880977851.NTJkMzlhMDQtZDA0OC00MTRiLTg0NDgtZGI2M2QwOTMzMDE0ODI5YTE1YTktZGY0YS00NTk0LTkwNWItOTEyYmNiMTMwZDk5",
"ClientId": "MvcTest1",
"IdP": null,
"Tenant": null,
"LoginHint": null,
"DisplayMode": null,
"UiLocales": null,
"AcrValues": [],
"Created": 635677250886418395
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:01 +00:00 -- rendering login page
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login page submitted
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- Login credentials successfully validated by user service
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- issuing cookie (partial login)
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 20.05.2015 13:25:29 +00:00 -- redirecting to: http://test.myserver.net/STSv3/TwoFactor/Index
w3wp.exe Information: 0 : TwoFactorController JsonConvert.SerializeObject(ctx.Authentication.User):
{"Claims":[],"Identities":[{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}],"Identity":{"AuthenticationType":null,"IsAuthenticated":false,"Actor":null,"BootstrapContext":null,"Claims":[],"Label":null,"Name":null,"NameClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name","RoleClaimType":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"}}
Update Я удалил частичный вход, но до сих пор не работает. Это последняя запись в журнале от IdServer
[Thinktecture.IdentityServer.Core.Results.AuthorizeFormPostResult]: 21.05.2015 07:54:35 +00:00 -- Posting to https://smi-test.myserver.net/TestMVC/
А содержание браузера пусто, но название говорит: «Submmit этой формы» URL-адрес в браузере:
https://smi-test.myserver.net/STSv3/connect/authorize?client_id=MvcTest1&redirect_uri=https%3A%2F%2Fsmi-test.myserver.net%2FTestMVC%2F&response_mode=form_post&response_type=id_token&scope=sse_roles%20smi_profile%20openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DIxrlCyPTeXy89E1BwspOh64Hu66D0vrJ5T3y8FwdzpWIKQQZY.....
Update2 Проверка формы отправки, и похоже, что скрипт заблокирован политикой безопасности контента
Страница https://smi-test.myserver.net/STSv3/connect/authorize загружает скрипт
<script src="http://smi-test.myserver.net/STSv3/assets/app.FormPostResponse.js"></script>
Как изменить это как https?
Larsi
кажется, что с точки IdSrv зрения все в порядке. Это больше похоже на проблему сетевой инфраструктуры. – leastprivilege
@leastprivilege спасибо за изучение этого вопроса, я обновил вопрос еще раз (Update2). – Larsi
Сообщайте о своем последнем обнаружении в журнале отслеживания проблем и включите @brockallen – leastprivilege