linux wenj 立即生效_OpenIdConnect 认证启用 HTTPS 回调 RedirectUri 不生效问题解决

最新推荐文章于 2024-03-03 09:18:44 发布
最新推荐文章于 2024-03-03 09:18:44 发布
阅读量6.4k 收藏
点赞数
文章标签: linux wenj 立即生效
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_39601641/article/details/111822332
版权

在搭建 IdentityServer 服务端后,我们尝试使用了 OIDC(OpenID Connect) 协议来代替了原先的 Session 系统认证方式,起初采用的是 HTTP 协议,一切都没有什么问题,最近启用全站 HTTPS 后,发现登陆会跳转到 HTTP的页面,

OpenID Connect 认证流程

第一步:

请求构造授权页

Request URL:https://sso.xxx.cn/connect/authorize?client_id=10000005&redirect_uri=https%3A%2F%2Fp2.cloudhotels.cn&response_mode=form_post&response_type=id_token%20token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DTl--AjNJpswyb_R1ytC6SqEKnWP5FWe969jAIK-tPHj7l5bCYieg5fffC111-Bjur08jIafy5-DNg2ESrenp71it4OBCLnUsLXPbFGxlsT6jWwsTmRgJf5HxG-HtsTZm2iIwDkFl2P4GmlUt7GAl8gMuTNlaLqB3M-RuJ2prt603WzMQ&nonce=636321569961956638.ODdlZTBkOWItYmU4Mi00OTliLTk5ZjktNjY0YTkwNjk4MTE0ODczM2M4ZWUtNzIyZi00YjgwLTlhZDAtM2NkNmE3NzY2MzJl&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554

Request Method:GET

Status Code:200

Remote Address:222.186.49.226:443

Referrer Policy:no-referrer-when-downgrade

:authority:sso.xxx.cn

:method:GET

:path:/connect/authorize?client_id=10000005&redirect_uri=https%3A%2F%2Fp2.xxx.cn&response_mode=form_post&response_type=id_token%20token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3DTl--AjNJpswyb_R1ytC6SqEKnWP5FWe969jAIK-tPHj7l5bCYieg5fffC111-Bjur08jIafy5-DNg2ESrenp71it4OBCLnUsLXPbFGxlsT6jWwsTmRgJf5HxG-HtsTZm2iIwDkFl2P4GmlUt7GAl8gMuTNlaLqB3M-RuJ2prt603WzMQ&nonce=636321569961956638.ODdlZTBkOWItYmU4Mi00OTliLTk5ZjktNjY0YTkwNjk4MTE0ODczM2M4ZWUtNzIyZi00YjgwLTlhZDAtM2NkNmE3NzY2MzJl&x-client-SKU=ID_NET&x-client-ver=1.0.40306.1554

:scheme:https

accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

accept-encoding:gzip, deflate, sdch, br

accept-language:zh-CN,zh;q=0.8

cookie:acw_tc=AQAAACVlAyxojQIAFpTodHdoRw2DIBLj; idsrv.xsrf=lL0mbSQCJwUEqyWAufNmPsKzR6s4rlmo9TnH5RgESnOUtVXBzRBfF1bumRiySNSdyI8LDA; SignInMessage.410d3116e4685a1ff945b72ec5b7bdee=owpop5ySCBwDREEoMovtaEIsnr5k6JVvD8kbdp2dJlSJvAUWX6xXvR1qP_G-C-Hf6QOOV8M5wZ_HBJ8L-101uznPFSmw1lqkmnPHTj0xJeR3gJ4QeaP9IEm4sQvEyZWzdnNGwW-F_y_9ooSGDqpNEr-PFoI_nrK7az0PWvgHsqv-hKSBQVonq_AIPaGumS7p5ORNHkHwB1LdJXWXnVwFq6NMM1DLD1zXJgpXp4EkzjCExIA89Nd9wUYZlJDb1TuNGLpucraql9RZ6kpKJpnr4z2bGtW1JENWdPb3YH4thqBlP6JMz4s9rKCJWhrOtojpuqfzGUanE-Sw8he4My0GQQ3FcNPqT8GFaVUmwPpy8qIZriLyCRO6IUlXoqo_uwAHS2N5f3AYtaoIo88TEJZl8sZCIeM1QD2ZADB1L96JHuTzMAR7TLEWxtFrFmlIX4Ue0XyXclzQnKbNPnhFlwK11joxFxpVczMuUp4bpEvfdhmuFaqTkTqO9qOmxh3fiVQxqpv9LXNg-JFrAWzlXfSJmrFaRUJ6-RFbHi31cYkLQ0v4Gal7KASMsVTvp9Iswj1lgvRtHoMEAXmwyMWThZg6RGJbFrQQSjG2uFB7-LFCOI_V_d3EYQMHxkvFeFJHUQ4O9DbXq0v-nSXCzcyNYEXBUS273X6OensJ4nilWZVtnssyXh1SppSICXGnX1MHfNvWMp2AlmdQQo76myLL0l2yCRVpyP6fLGWcMUmn9MmQi5-NoIALlCNyOslwAOGsgCkpcpLEeeI0BD7SKwXzQZQnTgCtJJayMZVdPB3aEKojZFe1BsBUV8nwsdEAhY8dc6HZPY3wpGhrVK1tYH1KzCFt1yw2LI3qgKgQyGnqETk7GUD-gunrvMYym-CMjteLu7lSyOiaaRTjMWb8o35psxK8RvHRNqc; _pms_session=gyyabpm4wizgtp0drl02nuuf; SignInMessage.9d3ece88ead86da0d24435c1a430c34e=NGNDv77kQPUAKKXDc9uVuokKTz1CIJG0t1G81CCrtHgPxx2wEb1TwxRdCT7UV61lmQxF-kYGSXH2-irds7PfoQSdp4Wm4Aot-zOjtpjtR8aH5VEndu78hbGIv6n2JEOAUQBtfh2GTrmQYBgHpEHIulCrHJWovGVmFIsgjDHmpnzAz_Kf6ZmcL0sC2tFDZYKP2PTYkaF83cG3PYbqVIeM7HTuucORtaybnuzv15UxGKU4T28cZwI28d_u-Og8gXkAoYNNFnT054S-q_Coxhz1nR5rYAZe_WmLZCvqM_3D0M7IK_1nHN8NexBKyuRIZ9V25D4afl7rNROCb2A0m3Y3ayUgu3FySHZwcjjhsia_l16IJMVu6KjFJCVZHh6JGu06O6lTza8QUnvYA6vh-PWVFiLFoszUy16RxuDWJl_fnoaWFBxP97zhFZ7gCHj9zdr5BjEgko6fkoEIcmHosehqsrTYJUGPKkaKR2GUfKzCEBeoNFvUveCOXrrjayeCSw5hk6dEjdehQvjrBy7ezffBRgViimpBr0YLqH00WSRdsZzfBA_KlUBkE3zJDBIrmGkyB7xiTOSHFXT-CoC4g7rEF4usM44CCntWTO48UGd_eq6qIxSLjVhXGrsuauqXZTKs82mPmARsd85opyA69kHfDkHT2vCKT3GLVmvBxk4Sdi1zoCobyHohFpj0o-u0J9fko6W8uxhilcKovPeWh8yDp5CQrpquXKc6yAN-4x1Lyh-lnKKHm2m1uPSV0v04P4PZfBYqASkYtgSKTRcmwErF8l8H7XpqlWFRT2DdXWYwetTv2I5MhC6HqwIlVoYzBk3JRIGheYTazNaO8Mz3pm1Ayp0VIWPH36mvdXynMV5iJmqgccVkWpdHmwJbHzdYajWPtqYocartaA2pAU9zog4nneNs9KI; SignInMessage.2e3550a6f27dbe37def555603163623e=dQUu6i3OyRhbsoYaK7wbtzSK5xGjVNSmenWCdZ0wbSvAnMAK7KNmBLBCOcV9rKRxAA-9jehtXT7bkFA0NRptXfgrWrU_my-cVvC2ok72b7qwk4LGTHonPqklVl-L_xCCBkUe0svpP1C4B3etBAj5MotsOVNFHuyhkNDAfMt_HpA6fCUJnEZtfQ0i3qycFmwL67O4JQx1EEbvhuugnlbyDiahppUlc-_TeVoySc_SNpnJc8HC9fCkYm7p2vQaLZoWVUsROU-JCPeIJ8NRDISTMqYlSWL0QY1UNa8vXF7zLSGO8jfMQ5YdmpYJIwG7VZrqf4yqHKi9E14G0IhYi1Y99wddOyaPYIKIQGIhWHkWVkRX0E1Mq-gsvzXJzLlN0-0_Ywyt4VRtpE1tQz9iS4xAtNPZBp3xyBzPJ0KsM6sHOuxuZT3X0NQV7hIZRA1eIV4xKhrGJtlh59FC7BaCmVIDDV7dytO9AGMlO5iYSjgKI4bTGC8cGYXHs2k7BsFTEh_RWKg0ygyu3hjvjIgN4X67yQ4BGHv92iFwLUxEn4nBXb7oZEx7BawzYAFcTlCK-l81VPmwr2Is0FjnhYlcr7MS-tvUx3HmG758-QPpoth5T0oZrOKVwv8Pop1503VjS1hFF1MCEzp0zzXaJcjZ_XeDLWmzElZ9jl8pw4AB2I64W-33IWtxBBXgjc9iX1L4t8imT9EMKXKK6wDxTZNQ8uxL2rnoV6NmYRoVcFjR0CFnAhntZDvhNGPWcFtH-eaGeFgDxa8HlbBV4vk1yNDlxN4-4upJxO7fbWmXx3OGPo8IVydyeQI0pUF61UKXYzVekyjc2rMS7wEpVsd8LdOy147tXLeZwqHBVbgU8GA6uITahJdjatOB2RLgTKgJvb_IPfgQQhRNv4ur5q2cfqerTIzSmH1lOJI; SignInMessage.249b0aeaa528d65e2fabdac9f695167d=PoHjxvv3eyxmJKkLNVuho_DAgPaIEjTg0XfzznyM_sKpPQ5vATFKZRIO7h2b9Zf-OtjqdTQN4gvEewnlEOVOvNED-WVT_hTcmBrj22ghMEKXJhYzjjVNOJxc5nYjcI0BHCiNgFsBZyTqsVqGG-QINfID8iG2NpnROU3sLygzIObydw56IJj63N6kJTBemCompDHcm0V8yOuqr8DIu_jR02JCPYotz2nRuHTsN-SRLCJzm1Q5ggfiy5HMMdV0jkdMj2CirxQV3sri32VNVNCvZ0XZJxFd5Ut-xoVfyPU9gGx1FI7iIEDhXyjSNGHgTGo2DFmgTVRn7kVIHnJ5kRiMvM9fYl8PHz2e_pB8VEGuUCisrXrQjdCiaTHdxjFudlmS-IcRksQV9fx4K0Ug0uy9Luf9RrfnUQo8i8JyARtPdrjmguJ79LVOjL-8eblBQlgUB6ih6uwXLBvRziyDTaB4B2FBT--Ke4guwrYBvxJdIgMh7Up5eJne8UW6Qeoc30L6q3TqiFLQLiFS39lehwx7EqoG_xLnp2y133ClQqfbFSBlBnPZD0OvNSuiWnOE724NeqioVkACPWUFgF7X1fbPDQXLc9mfRt0aNwlipNnCKtKwAoXtFJby1skdLx_I18uALo3KAwptivFweCvtKLELv0dBcQxzRzzOcIPi_gNUdrXnS7z23DvhCbsu8q842J-wZeqwXMrwakUzhh1-FvQW4Agt7FrTOCmOS1KzmarC2Xm5srIH3hWGc3gsvT3NYZxM0k-5WAhHw_d16zLAIWW4K_euxz5GnX-qKwvT3Rcpui4DsKQvZQGfCg4Ua3KKQT1iN-YOuixKMQ7nSiIHaP_0qZYI5H16mj3eiW4w0D2mDUSWCCRmJ7BR5qak0_mH0uLodDVvd8oejbfivWt-SGAd0MnZsoU; SignInMessage.8773da773d34dd5079a297ef19316ac0=4KfGGFxV7E7AiKGysQXQS9Dszsj3xHqg2RaVgdc-0uSz8c6ZLf_4ZB2FA1HLFXxoTnFbU-EN86eB1ZjPdYZO1BRPWw4dt_pk-ojgj88HcdDFlshoQBwAoN6MeTlnEriewC78lYz7UZVDJnCFZki4J7dMGPwu7XM93sLif3cR-d0pIFPdLBsjBZ2XaEDi6B9kKN8IAt5afWT8St-1LgnHSJPWl6iiCj2T71NaNnE0XU1ij_JdQRzLIQy4Z0eG8HA-jH3J_0oaqqoR-X3aJAiNlvb_GMPvXWF6CXaWFPiSxpu8_ApjKeI3Sq5bPghCZdApTdV1BH5UWDPciyZmX1knQd3B8DkmSsrAdSYXq5XVSDB4VYRFbZti-Msd5vZlCTo6w9tcGdNRlAnv9aEZjopkkf8IQqgiW0xZFlQjS9oGEVyNv80BkuhMMmoeNaEotHOaoK3qkNswqJRUNWxT9-6lLKB8pUaDxZZE4dJVC2VnW-CK6nbdDqCACcA-Ayf2wCTy2iVknv_zUUyXW5AkUO0CPI1BrBJkc_GqCbymXJphKO44vNLVUBoaMNjdAkqktpHBYx_rXImhCHNdXh0hvsVST4EWlTb2Y6IHx4G4sWNqE7irBPqhFJ4GcSUCfZlM0MD_72JdNCo9sYRDXqBUKO4gx1yRg2pyO00R0ch604AJ5EsF2fotrUm7Ie3br2erdI3dKkuKmy2jpyPQG3NmsZVFXFqIzguX7v4YvQTXXbvlVNHRpj3ulgGL7EQwnaikOD1Zc6mntSyesZ19nrkIQqjeFNFYA22-myhhFDo9ukjm0JIqvLoBLCN5br0JnyTXfHj0Bai_OsR1JMqoBSC9ZYHcSpEkNGDgi_gGiN1rQWUQikxhV3I5T1thx0A4_otw3MV2BMOWKxNMBdI4-jO4AAoWPK4BtFI; idsvr.session=a60e0086521e99c099122e9d54e6a870; idsrv=FXCKHsF7lWgZ6xBWmn5VU8KmB3Uo_DPkYFTsRNvEH3CKFOW4is94zus3LN9lPVj6yOqoV2o36dl5FS3tBTOWphg1fzIShAbW522-_AKnL0I3kKQldeccu7Wusb1moa2iAjq9q3y7mxlGFGBP7itBigCY1cfHeAZGbBfx1R1O5RUBO2Zjwf0PZuH1_-0EexZUNn-8qwOaMrpVTVTUOjZqc1Lr0cFFc6_PyLsyhHWbuiZLRcIHSsf_tSiw1YorIWFgoEv8kRlHOc4squfvAQQsraxBRrIKqWieqqhCA1y7kGUvlBJV8I0eLmP6lu9S08kehlM4sw

referer:https://sso.xxx.cn/login?signin=249b0aeaa528d65e2fabdac9f695167d

upgrade-insecure-requests:1

user-agent:Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mobile Safari/537.36

第二步:

请求构造授权页会返回一个OAuth2回传信息 POST 到客户端 ,OAuth 2.0 Form Post Response Mode ,是一个对 OAuth2 的扩展,构造回传信息提交到客户端是通过URL的querystring和fragment这两种方式,这个扩展标准提供了一基于form表单的形式把数据post给客户端的机制。

Request URL:https://p2.xxx.cn/

Request Method:POST

Status Code:302

Remote Address:58.220.27.80:443

Referrer Policy:no-referrer-when-downgrade

id_token:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL3Nzby5jbG91ZGhvdGVscy5jbiIsImF1ZCI6IjEwMDAwMDA1IiwiZXhwIjoxNDk2NTYwMjA1LCJuYmYiOjE0OTY1NjAyMDQsIm5vbmNlIjoiNjM2MzIxNTY5OTYxOTU2NjM4Lk9EZGxaVEJrT1dJdFltVTRNaTAwT1RsaUxUazVaamt0TmpZMFlUa3dOams0TVRFME9EY3pNMk00WldVdE56SXlaaTAwWWpnd0xUbGhaREF0TTJOa05tRTNOelkyTXpKbCIsImlhdCI6MTQ5NjU2MDIwNCwiYXRfaGFzaCI6InJEYVhQcXRaSFZEcUxVSzhscmotUFEiLCJzaWQiOiJhNjBlMDA4NjUyMWU5OWMwOTkxMjJlOWQ1NGU2YTg3MCIsInN1YiI6ImlydmluZyIsImF1dGhfdGltZSI6MTQ5NjU2MDIwNCwiaWRwIjoiaWRzcnYiLCJ1c2VyIjoie1wiVXNlcklEXCI6XCJpcnZpbmdcIixcIlVzZXJOYW1lXCI6XCLlkajmtptcIixcIlVzZXJQd2RcIjpcIioqKioqKlwiLFwiU2FsdFwiOlwiKioqKioqXCIsXCJDaXR5QXJlYUlEXCI6XCIxMDAwMDAwOFwiLFwiQ2l0eUFyZWFOTVwiOlwi5Y2X5Y2O6KW_XCIsXCJDaXR5R3JvdXBJRFwiOlwiXCIsXCJDaXR5R3JvdXBOYW1lXCI6XCJcIixcIkpvYklEXCI6XCJBMDAwM1wiLFwiSm9iVGl0bGVcIjpcIuWfjuWMuumUgOWUruWJr-aAu-ebkVwiLFwiRW1haWxcIjpcInl4ZGVuZ0Bob21laW5ucy5jb21cIixcIkJ1c2luZXNzRGVwXCI6XCJcIixcIlVzZXJTb3VyY2VcIjozLFwiWFR5cGVcIjoyLFwiTW9iaWxlXCI6XCIxMzgxNzk2MzY2MlwiLFwiSG90ZWxDZFwiOlwiMDIxMDY0XCIsXCJIb3RlbE5hbWVcIjpcIuS4iua1t-WcuuS4rei3r-WcsOmTgeermeW6l--8iOWGheWuvu-8iVwiLFwiSG90ZWxKb2JJRFwiOlwiUkpDV0pMXCIsXCJIb3RlbEpvYlRpdGxlXCI6XCLotKLliqHnu4_nkIZcIixcIkJyYW5kQ2RcIjpcIlJKXCIsXCJCcmFuZERlc2NcIjpcIuWmguWutlwiLFwiVXBkYXRlVGltZVwiOlwiMjAxNy0wNS0xOFQwOTo0MDoyMS4wNFwifSIsImFtciI6WyJwYXNzd29yZCJdfQ.c_Dn0xxmLRGsp9_iZ7T2UOhwGf2uVjKwWYeGrKr70HtWDXcoafurb6_JxgEwdcWJzlhv3t9a-Y-LcupLbRBfBO-mP7CcbWM5Jr5zn55-z7RH2QnMlViK17AOOiXrKdCr8kTaGAK2bnkMpYIzk4oUAgWkwS3z0_RQ4G1aAIwIDxRvrKo4DuLwCXGPTYXp7YwAemnpvgywNvDM6yjKEL8KltdKyYWaHg8zxQVEPUOeteLFlsBA6rHJ873YTv-s6XNH3Rx944Sh75qGmPCkv3N3mEIDvHd8emMKyGJ53_Rbr6Jjr6eH_h8XNdwvtSIlH3GRfCgsJXppGxEl-KtRDGaR0w

access_token:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwczovL3Nzby5jbG91ZGhvdGVscy5jbiIsImF1ZCI6Imh0dHBzOi8vc3NvLmNsb3VkaG90ZWxzLmNuL3Jlc291cmNlcyIsImV4cCI6MTQ5NjU2MDIwNSwibmJmIjoxNDk2NTYwMjA0LCJjbGllbnRfaWQiOiIxMDAwMDAwNSIsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiXSwic3ViIjoiaXJ2aW5nIiwiYXV0aF90aW1lIjoxNDk2NTYwMjA0LCJpZHAiOiJpZHNydiIsImFtciI6WyJwYXNzd29yZCJdfQ.e4DeFyh2Jt6dnsry0ALSbEJpj34lbN0u_iW9YAsc_XlSgWm044LeI19xRzgZvzF4lN_4jjwjvMaQPzOO4MOokSmSAjwnMdVg1j2b9U3c7YyqIUQMueHn1hTr06f2kd2OLYLz38RnNilvFf1xAAF8tXs2TOyrHl9L39i6Nb3I7pQenooIoIbP8yRGpGAztRVBBEHf-b1-7b1wmhaDYEKe_dFOXzlNPRjFzrDhvCcoke2SHJ3Zo60c9JQVUKopFPYUF0EN_TDsS4dHeZCE55tLb--1KJpz7e2WVNGMbts7HGUrlpa4O4mwESxN_c1F3V8YVstdEB7i8xYZCSqQHUdE4Q

token_type:Bearer

expires_in:1

scope:openid profile

state:OpenIdConnect.AuthenticationProperties=Tl--AjNJpswyb_R1ytC6SqEKnWP5FWe969jAIK-tPHj7l5bCYieg5fffC111-Bjur08jIafy5-DNg2ESrenp71it4OBCLnUsLXPbFGxlsT6jWwsTmRgJf5HxG-HtsTZm2iIwDkFl2P4GmlUt7GAl8gMuTNlaLqB3M-RuJ2prt603WzMQ

session_state:UDOKlCOQmRPUjrKy2bRKz-erQ9Ze4jkre7FwspSAZBA.d02260a76d5c74285e125e59531cea07

注意这一步会返回一个 302 的 Location 头,并且是 HTTP ?

cache-control:no-cache

content-length:0

date:Sun, 04 Jun 2017 07:10:05 GMT

eagleid:3adc014214965602048883069e

expires:-1

location:http://p2.xxx.cn

pragma:no-cache

server:Tengine

set-cookie:OpenIdConnect.nonce.nC4ZwLkiOvWjmFbe4uMezWn3Ot8OR5Q%2FEKWIPNawETw%3D=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT

set-cookie:_pms_cookies=GKjrW_Lmfe3Iek_fsJ0zN9CeIQWNuawbZSAi_tl1yl3q8CT2BCqNzk7rDYrsoJGmfE_tRYN7eccbe34g4TKJjBTSOeMXbdj-JYa249ypqj_zO6spFIoCbchvtMlFUct5ygIbs9a5QVD1FdfZh6oUMFBE283N6EENqX6SxAqv1KfIrrkEyAq2vvwtrnH6uRDcva4vfvgj5777VaXHl-DGQWRy5ET1xusxwT6rx8sA_39QPKxmLeqvoEaz1JRl_pXkBwndcmAmem1g12x1J8m5oW1jBB0sF-fcVCEw737SshYAgOLs42Gb6f-KfOZToqtvf-jkjgHKDM_FgoJjigYOGG3Jbcg158wnbPhBLCukDx1-V3gHLpaKVuiv4kPVzNsQouI27AplfJUbCYQK9KAgzpAIiQXpeGW4AGCfHgHiL_txBNCRoWLRM02xvetHlvmW3vxqBu-qTa_fnYeCFd8DcSJLHcyyOwVGkI8eQEIDzAAmRvy9qYetFRhJo75_SnxK73sHw0OCzM9jX-cFt1_5X1AwXK52QBKwgtfg8Ehxtn5aKwoyEQ3SgJQOMjO1W-AK1pzPN9fbNG-zMhXxN22V7srHxOS5J8s9_w0kZKU_vTjqr8-UaGtj-ed09ik-CpfCZvYOH3sKFIa3Yb_HeOt6GnSviaML1pULaXYR0qKxsOwL2yXyfRxsZb95TGUZ9e8wVvb5AGlxVAZD6_NWlU5qxTqss7fR3vAVbFJyWDcnZ_qEP4iu2yhXuZfplsnDSB8ZO_7JEUJKEKG3AEjsaX0c0eJAc0gJEQ5bx7uujGIUe1mpGhz6AwaLXHnbY_mzgA2HFXFLaqL_l6vwbLJzg8khzqOUT8sF0d91yGco6xxxb_tcLWFURT4z3e6i2Nz0KOpQkt5R8U4TiM41khXbpfiRxsWetc-TunteIv0iVtw3K1My7-qJOeSJn_JvDtnTxaesEiMbaMcGGkyGF_Ew33kSVrO3Ooiiv3qpb2oLLCz5CQ3gxStFCxpf4_ga69rCVQZwnY3-OX4r1pUq-1ObvQBuM055c2jCyhK5EGcd0aN7tu5yCCVLcIsjVLYBmCt-fa2Hkw_qgy6e6-0T07gLPB56k7_O4dm7qI7DbtmBEVR5LYPIA3LxK0Rpsfza0Uj9ELgubA6LP7GhMD313_mIC9DMAjZ3S2jpiuENqm8FsYsLPBKjSWBDCPbI9hHwEl1fBhSoaMxhNSaLdIj88Y5tBADrV0jMgFk9n2Xnzxr8WIMlczvWcFYLoDV6W1shGdxxsDpLK6XLYtzu2hxtm26z1Zhn41LNPuOTUpOK8iC_9J68lUW61mHJbYtWBTmKgXe6IssWegbfdtRLFBRccsWSqIBYtWQtEccTFtzmX4IgBqwCHpOCIVAg7F1m3zV-cI2AfpLccceSGbONTmdOl9dmye0EgW45Mqkz4gAqBfHwkGw8EyiBV9oIUY5dwB3RcrJx9MQlF7iLRMpnbKeVxBePtiEmkc4cn81CPkxjS1PvhH1EljWtHi9OKXKeWzoExnWtVbdHJxe2mcgvNcmqfrPj-R3DWfN83pqNdymqVpqsjZFbZv2UmQlZ8RJxMAqIPqihdA5iYxWzjhtINcrvSRY6qw8fN392t83_1in0XJCHkIO5MJnNYbHhaX7RbnifvXn1Lkg2NwvjAMrl1b8EEq-AO2pqt_XvgAThvv8Khrcwon-RQxmLKVrZPpOv7O-vaHoLsTr2inclMRvwZ_b_w3WMI5G9CAU8mD8eGco1BnkSK8EL78-j57NTH3kXnro6DsA4vgv57a_QuTxXi_DsMLcK5xFDJzohSYzI4DPDjgyuWItztGgk6pAn_ScOkGJ8iMiMaAKH0kxe0g4hjoUSfsS5-SSfAe7RnhZo-WNMn3x6Iz6S7vi9mKttfBRLiKyyPe1tS3ULngJEMukZfR90tUVD1V-yRf1Td1oX08-8iIf1H_qQgLvy37_glhrQRnJOVnufbTGmBTrfJdf482TGhn5HxEOKcaXYKHSU259IegMjT0ikzrxXkCVoI-M1kBuEYtBKCvG1gPH8vO1H710GNzPGq2ZCXBFtNFPsegmx-WXviJd_-B3nFrv_N0w_op0EBZH0Zxel_ZJzkPWzs7zDMRA_qVKjjeVDFDawOK2jKfchsQn4jWCXEYRjn0OpdWb2Hq0PmLvhFPcSgGxPOs6StdcHUGIkwoERzPr20mGj4ZBM9R7krYjjbo6Lddg-Pkvu503E07J9GZMnJ97lvbSVZeckrdFXd2btmh1aJI_qg_DCWwovhKIImN-l-IShEFkQjEBwei9nIiik05qjnU3twlVVIqRaPwV9UUXPODV-xz-oXh0CeN1QKNVAHV8-uoyfzF6F1tQ1Fkv2du_AvEFYySTqqAZVcmXGY6g0ESntPJ4bSYZ-CD3Sk7PxUvJpnQoXgtVzDlqRQeTr2ltqo5QFMyIuTEOCk1alYy-crWQi6Y7-iDHdNtDkYfaVWlYy4mHavmZ9mE5VhIR69UEvRGw2c1D0sNdkBd15EzRS2jA5KGI56bTjNElT9aJOwnPyHQUTJ5I; path=/; HttpOnly

status:302

timing-allow-origin:*

via:cache5.l2cm10-1[157,0], cache2.cn242[166,0]

x-powered-by:ASP.NET

第三步:

根据 Location 的地址跳转 ,这个时候发现 并不是 HTTPS

问题分析

///

///Handles SignIn///

///

protected override asyncTask ApplyResponseChallengeAsync()

{if (Response.StatusCode == 401)

{

AuthenticationResponseChallenge challenge=Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);if (challenge == null)

{return;

}//order for redirect_uri//1. challenge.Properties.RedirectUri//2. CurrentUri

AuthenticationProperties properties =challenge.Properties;if (string.IsNullOrEmpty(properties.RedirectUri))

{

properties.RedirectUri=CurrentUri;

}//this value will be passed to the AuthorizationCodeReceivedNotification

if (!string.IsNullOrWhiteSpace(Options.RedirectUri))

{

properties.Dictionary.Add(OpenIdConnectAuthenticationDefaults.RedirectUriUsedForCodeKey, Options.RedirectUri);

}if (_configuration == null)

{

_configuration= awaitOptions.ConfigurationManager.GetConfigurationAsync(Context.Request.CallCancelled);

}

OpenIdConnectMessage openIdConnectMessage= newOpenIdConnectMessage

{

ClientId=Options.ClientId,

IssuerAddress= _configuration.AuthorizationEndpoint ?? string.Empty,

RedirectUri=Options.RedirectUri,

RequestType=OpenIdConnectRequestType.AuthenticationRequest,

Resource=Options.Resource,

ResponseMode=OpenIdConnectResponseModes.FormPost,

ResponseType=Options.ResponseType,

Scope=Options.Scope,

State= OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" +Uri.EscapeDataString(Options.StateDataFormat.Protect(properties)),

};if(Options.ProtocolValidator.RequireNonce)

{

AddNonceToMessage(openIdConnectMessage);

}var notification = new RedirectToIdentityProviderNotification(Context, Options)

{

ProtocolMessage=openIdConnectMessage

};awaitOptions.Notifications.RedirectToIdentityProvider(notification);if (!notification.HandledResponse)

{string redirectUri =notification.ProtocolMessage.CreateAuthenticationRequestUrl();if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute))

{

_logger.WriteWarning("The authenticate redirect URI is malformed:" +redirectUri);

}

Response.Redirect(redirectUri);

}

}return;

}

默认是取 Properties.RedirectUri 的地址否则自动获得当前请求的 CurrentUri

private stringCurrentUri

{get{return Request.Scheme +Uri.SchemeDelimiter+Request.Host+Request.PathBase+Request.Path+Request.QueryString;

}

}

由于我们使用的负载时在LB层做的,所以默认获得的地址是 HTTP的,那么为什么 Properties.RedirectUri 获取是哪里的数据呢 ?

private readonlyIOwinContext _context;

...///

///Find response challenge details for a specific authentication middleware///

/// The authentication type to look for

/// The authentication mode the middleware is running under

/// The information instructing the middleware how it should behave

public AuthenticationResponseChallenge LookupChallenge(stringauthenticationType, AuthenticationMode authenticationMode)

{if (authenticationType == null)

{throw new ArgumentNullException("authenticationType");

}

AuthenticationResponseChallenge challenge=_context.Authentication.AuthenticationResponseChallenge;bool challengeHasAuthenticationTypes = challenge != null && challenge.AuthenticationTypes != null && challenge.AuthenticationTypes.Length != 0;if (challengeHasAuthenticationTypes == false)

{return authenticationMode == AuthenticationMode.Active ? (challenge ?? new AuthenticationResponseChallenge(null, null)) : null;

}foreach (var challengeType inchallenge.AuthenticationTypes)

{if (string.Equals(challengeType, authenticationType, StringComparison.Ordinal))

{returnchallenge;

}

}return null;

}

也就是说在 401 状态码的情况下,会获取  _context.Authentication.AuthenticationResponseChallenge 对象时候为 null ,并不是客户端配置项,最后突然想到可能是 Idsrv 的拦截器里配置的(https://github.com/IdentityServer/IdentityServer3.Extensions.Mvc/blob/master/source/IdentityServer3.Extensions.Mvc/IdentityServer3.Extensions.Mvc/Filters/IdentityServerFullLoginAttribute.cs)

public classIdentityServerFullLoginAttribute : OwinAuthenticationAttribute

{publicIdentityServerFullLoginAttribute()

:base(Constants.PrimaryAuthenticationType)

{this.Order = 1;

}public override voidOnAuthenticationChallenge(AuthenticationChallengeContext filterContext)

{var statusCodeResult = filterContext.Result asHttpStatusCodeResult;if (statusCodeResult != null && statusCodeResult.StatusCode == 401)

{var ctx =filterContext.HttpContext.Request.GetOwinContext();var url = ctx.Environment.CreateSignInRequest(newSignInMessage

{

ReturnUrl=filterContext.HttpContext.Request.Url.AbsoluteUri

});

filterContext.Result= newRedirectResult(url);

}

}

}

解决方案

1.) 客户单强制设置返回 302 与 URL 或 强制给 Properties.RedirectUri 赋值

public classStartup

{private static readonly Logger logger =LogManager.GetCurrentClassLogger();///

///启动类配置///

///

public voidConfiguration(IAppBuilder app)

{//忽略SSL证书,安全验证//ServicePointManager.ServerCertificateValidationCallback += delegate (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)//{//return true;//};//configuring Redis

GlobalHost.DependencyResolver.UseRedis(new RedisScaleoutConfiguration(CacheSetting.Redis, "SignalR") { Database = 3});//configuring the OpenID Connect authentication middleware

app.UseCookieAuthentication(newCookieAuthenticationOptions

{

AuthenticationType= "Cookies",

});

app.UseOpenIdConnectAuthentication(newOpenIdConnectAuthenticationOptions

{//Set expiration time to 8 hours

ProtocolValidator = newOpenIdConnectProtocolValidator()

{

NonceLifetime= new TimeSpan(0, 8, 0, 0)

},

Authority=IdsvSetting.Authority,

ClientId=IdsvSetting.ClientId,

Scope= "openid profile",

ResponseType= "id_token token",

RedirectUri=IdsvSetting.RedirectUri,

SignInAsAuthenticationType= "Cookies",

UseTokenLifetime= false,

Notifications= newOpenIdConnectAuthenticationNotifications

{

SecurityTokenValidated= async n =>{try{var id =n.AuthenticationTicket.Identity;var nid = newClaimsIdentity(id.AuthenticationType);//keep the id_token for logout

nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));//add access token for sample API

nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));//keep track of access token expiration

nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));//获得用户信息//var client = new UserInfoClient(new Uri(n.Options.Authority + "/connect/userinfo"), n.ProtocolMessage.AccessToken);//var userInfo = await client.GetAsync();//var user = userInfo.JsonObject.Last.First.ToString().DeserializeJson(System.Text.Encoding.UTF8);

var userInfoClient = new UserInfoClient(new Uri(n.Options.Authority + "/connect/userinfo"), n.ProtocolMessage.AccessToken);var userInfo = awaituserInfoClient.GetAsync();var user = userInfo.JsonObject.Last.First.ToString().DeserializeJson(System.Text.Encoding.UTF8);

...

n.AuthenticationTicket= newAuthenticationTicket(nid, n.AuthenticationTicket.Properties);清空 OpenIdConnect 开头的 Cookies

foreach (var item inHttpContext.Current.Request.Cookies.AllKeys)

{if (item.Contains("OpenIdConnect", StringComparison.OrdinalIgnoreCase))

{

HttpCookie cookie=HttpContext.Current.Request.Cookies[item];

cookie.Expires= DateTime.Now.AddDays(-1);

HttpContext.Current.Response.Cookies.Add(cookie);

}

}

HttpContext.Current.Response.AddHeader("Location", IdsvSetting.RedirectUri);

}catch(Exception ex)

{

ex.ToExceptionless().MarkAsCritical().Submit();

logger.Error(ex,"UseOpenIdConnectAuthentication:" +ex.Message);

}

},

RedirectToIdentityProvider= n =>{if (n.ProtocolMessage.RequestType ==OpenIdConnectRequestType.LogoutRequest)

{var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");if (idTokenHint != null)

{

n.ProtocolMessage.IdTokenHint=idTokenHint.Value;

}

}return Task.FromResult(0);

},

AuthenticationFailed= (context) =>{if (context.Exception is OpenIdConnectProtocolInvalidNonceException && context.Exception.Message.ContainsAny(new string[] { "IDX10316", "IDX10311"}))

{

logger.Warn("OpenIdConnectProtocolInvalidNonce expired, reauthenticating...");

context.HandleResponse();//context.Response.Redirect("/Error.aspx?message=" + context.Exception.Message);

context.Response.Redirect(context.Request.Uri.PathAndQuery);

}return Task.FromResult(0);

},

}

});

}

}

2.) MVC 拦截器里设置 Properties.RedirectUri

public classTokenAuthorizeFilter : AuthorizeAttribute

{public override voidOnAuthorization(AuthorizationContext context)

{if (!context.HttpContext.User.Identity.IsAuthenticated)

{#if !DEBUGHttpContext.Current.GetOwinContext().Authentication.Challenge(newAuthenticationProperties

{

RedirectUri= context.HttpContext.Request.Url.ToString().Replace("http", "https")

});#endif

//401 who are you? go login and then try again

context.Result = newHttpUnauthorizedResult();

}//如果 session 不存在,清除 openid//context.RequestContext.HttpContext.GetOwinContext().Authentication.SignOut();//context.Result = new RedirectResult("/home?returnUrl=" + HttpUtility.UrlEncode(HttpContext.Current.Request.Url.AbsoluteUri));

}

}

Xshell在Windows和Linux间文件的上传和下载
qq_45562973的博客
02-24 1680
Python微信订餐小程序课程视频 https://edu.csdn.net/course/detail/36074 Python实战量化交易理财系统 https://edu.csdn.net/course/detail/35475 本文通过lrzsz来实现Windows和Linux间文件间的文件传输。 lrzsz使用 XMODEM、YMODEM 和 ZMODEM 文件传输协议来实现文件的上传和下载。相比 FTP 或者 WinSCP 工具配置简单,它无需配置,即装即用,非常方便! 环境 客户端:Win
UBUNTU编译DBVM的步骤及出现问题解决方案(DBVM-->CheatEngine)
05-02 5848
1, 首先要确保你的系统是ubuntu 64bit的, 我采用的系统是ubuntu 64bit 13.10版进行编译 2, 确定ubuntu是否安装来yasm和nasm 否---->则 apt-get install yasm apt-get install nasm 3, 进行编译 make clean cdimage 中间有可能会出现错误ubuntu bits/pred
htpp://bangbang.58.com/pc.html,package-lock.json
weixin_35266799的博客
06-25 17万+
{"name": "admin","version": "4.0.1","lockfileVersion": 1,"requires": true,"dependencies": {"@babel/code-frame": {"version": "7.5.5","resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-fra...
http://95u.free.fr/index.php,Electronic Software Distribution Service
热门推荐
weixin_39632291的博客
03-19 137万+
Content-Type: multipart/related; start=; boundary=----------OH5LlQ9dynBJGqR8E2AiMRContent-Location: https://software.pitt.edu/software/software.aspSubject: =?utf-8?Q?Electronic=20Software=20Distributi...
Android常用工具库
Sir的专栏
01-04 3164
原文:https://github.com/Trinea/android-open-project 主要包括那些不错的开发库,包括依赖注入框架、图片缓存、网络请求、数据库 ORM 建模、Android 公共库、Android 高版本向低版本兼容、多媒体相关及其他。 一、依赖注入 DI 通过依赖注入减少 View、服务、资源简化初始化,事件绑定等重复繁琐工作 1、AndroidAnn...
http://www.htsjpt.com/admin.php,webshell/php/xiao.php.txt at f875e7b78085777b8a10c3456478dbd192d851a...
weixin_39980575的博客
03-13 94万+
eval(gzuncompress(base64_decode("eJzsvfl3G8eROP6z/J7/h9GYK4AmiIP3IVDiTUq8RJA6qceHY0BABDDQAOAhW/u/MNpNvLJ2I0qkLoq6SJsUZVEUSUmOnnP4WCeO1slGzsd2rDjvW9XHTA8wACnFye7nky9tkUAf1dXV1dXV1dXViqap2rCmJFUtHU2M2Ku...
关于 IdentityServer 部署到生产环境相关问题踩坑记录
weixin_34198797的博客
03-07 2491
Idsr 定义了几种模式适用于不同的场景: // // 摘要: // OpenID Connect flows. public enum Flows { // // 摘要: // authorization code flow AuthorizationCo...
WENJ.rar_GPS_dingwei_rtklib_simplest7bk_差分定位
07-14
《基于RTKLIB的GPS差分定位技术详解》 在现代定位技术中,GPS(全球定位系统)差分定位已经成为高精度定位应用的关键技术之一。本文将深入探讨一种利用RTKLIB库和VS2010编译环境实现的简单GPS差分定位系统——...
python接收到文件wenj.zip,新建名为wenj的文件夹
05-17
可以使用Python内置的zipfile模块来解压缩wenj.zip文件,并创建名为wenj的文件夹。以下是代码示例: ```python import os import zipfile # 假设wenj.zip文件位于当前目录下 zip_file = 'wenj.zip' # 创建目录 if...
下载wenj1该文件没有与之关联
最新发布
12-30
当下载名为wenj1的文件时遇到了文件没有与之关联的问题,这通常意味着系统不知道应该使用哪个程序打开这个特定类型的文件。以下是几种可能的方法来解决问题: 选择默认应用程序 对于大多数操作系统来说,可以手动...
python爬虫cookie
da_yu_yan_jia的博客
06-24 3万+
有些网站需要cookie才能访问,或者一些页面跳转也要cookie才行 那么requests.Session()就很好用了 import requests from fake_useragent import UserAgent headers = { 'User-Agent': UserAgent().random, 'Upgrade-Insecure-Requests': '1', } #get_url = 'http://www.yngp.com/newbulletin_zz.do?
Lcd Debug
m0_73462935的博客
03-03 3298
P963F10手动灭亮屏的打印:相比于电源键dpu等未reset 6,33118,6687299931,c1,-,caller=T662;[drm][sprd_pwm_backlight_update]sprd_pwm_backlight_update:brightnesslevel:0=>0min_level:11 6,33119,6687306422,c6,-,caller=T596;[drm][dpms_mode_store]inputdpm
php shgtxkn cn,webshell/oi.php.txt at master · tennc/webshell · GitHub
weixin_39673184的博客
03-21 10万+
eval("?>".gzuncompress(base64_decode("eJzsvXtbG0eyOPz/eZ7zHZqJYkuxEALbuYAhwYBjToxhAa83P+BVRpqRNEHSKDMjLsn6u79V1feeHkmQZE/2POvd2Jq+VFdXd1dXV1dVv/p2Opz+9399ttwfLMjif7DDyU0YJVHKNtrtb1jpDxaM4n4yietP82H...
使用Java将图片转成Base64编码,并压缩至40k
lihuazaizheli的博客
08-17 3万+
文章目录1.添加依赖包2.代码3.测试 1.添加依赖包 <!-- 压缩图片--> <dependency> <groupId>net.coobird</groupId> <artifactId>thumbnailator</artifactId> <version>0.4.8</version> </dependency&gt
知名博客转发
hafubote的博客
08-28 9424
今天看到一篇文章,收藏了很多大牛的博客,在这里分享一下(转载于:http://blog.csdn.net/wujxiaoz/article/details/8237096) Android中文Wiki AndroidStudio-NDK开发-移动开发团队 谦虚的天下 - 博客园 gundumw100博客 - android进阶分类文章列表 - ITeye技术网站 CSDN博文精选
http://mail.163.com/help/help_spam_16.htm?ip=118.186.207.7&hostid=smtp5&time=1358341921
云计算?
01-16 75万+
0INRMumLsiQwT0xVgvYVmNCBWS7mV8LzSeLOZGHzflL3ziBSx+iej3G1syAeYvPZxqagQ0P7mgdX /qgnEWWuIcv4cTR6ZI5QNmqULAGtRkCtCNsphAD7cLBiV7UpV7yvURpKw6H8jHyDDZc8zP5P8QF9 abbRoeoTcPcDs/Ij0+JSX9fkdkqCvmUFYzy/GBb+hMWJ...
好看又炫酷的网页特效例子收集
qq_35181466的博客
06-16 8万+
好看又炫酷的网页特效例子收集
ConstraintLayout约束布局
shenglong0210的博客
05-17 19万+
ConstraintLayout约束布局 目录 前言 为什么用ConstraintLayout 如何使用ConstraintLayout 添加依赖 相对定位 角度定位 边距 居中和偏移 尺寸约束 链 辅助工具 Optimizer Barrier Group Placeholder Guideline 总结 前言 ConstraintLayout是Google在API9的时候推出的新...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值