问题
I'm having a strange issue with identity server 4 (deployed as an Azure app service) and authentication on mobile devices. I'm using an OpenId connect .NET core MVC client to authenticate against my identity server (which is configured with AspNetIdentity). This is working absolutely fine with a desktop browser, but on an iphone when I log in it goes into an infinite loop bouncing back and fourth between id server and client (with mobile safari or chrome).
If I stop the loop and interrupt then navigate to the site, I'm authenticated which shows the cookie has been issue'd fine.
The bizarre thing is I have another system with a near identical setup that doesn't have this behaviour. As there's no error's and I can only reproduce on a mobile in my staging environment, I'm finding it hard to figure out steps to diagnose the issue, or where I should be looking.
I'm not issuing a large number of claims or anything that would bloat the cookie size.
It's pretty much identical to this issue with identity server 3:
IdentityServer3 constant redirect on login only on mobile
Any pointers on what I should be looking for here would be great.
回答1:
There were some changes in iOS12 Safari that broke oidc logins if using the default configuration. As detailed here: https://github.com/aspnet/Security/issues/1864
If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code
services.ConfigureExternalCookie(options =>
{
// Other options
options.Cookie.SameSite = SameSiteMode.None;
});
services.ConfigureApplicationCookie(options =>
{
// Other options
options.Cookie.SameSite = SameSiteMode.None;
});
If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code
services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
// Other options
options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
});
If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.
.AddOpenIdConnect("myOIDProvider", options => {
// Other options
options.ResponseType = "code";
options.ResponseMode = "query";
};
_Note that in making these changes protection is removed for all users and all browsers. You should ensure that all your actions that make state changes are protected with CSRF anti-forgery mechanisms built into ASP.NET Core.
来源:https://stackoverflow.com/questions/53707776/guidance-required-diagnosing-infinite-loop-authenticating-on-ios-safari-and-chr