问题
I'm trying to get the OpenIDConnect Azure sample from here working within an iFrame in CRM. I've deployed to Azure where login works fine when hitting the site directly.
When I access the site via an iFrame in CRM Online it's displayed fine but when I attempt to login I'm getting the following error:
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolInvalidNonceException: IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'.
After some investigation I've updated the OWIN middleware configuration to set the RequireNonce false:
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
ProtocolValidator = new Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator()
{
RequireNonce = false
}
});
When I now try to login I now get the following exception for which I've hit a wall.
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolException: invalid_request
Any help would be much appreciated. I understand the use of nonce but I'm yet to understand the full implications of disabling it within this use case so getting this working without the need to disable would be ideal.
回答1:
The authentication experience cannot be iFramed, for security reasons. Also, turning off the Nonce verification is very dangerous - I would strongly advise against it. You can refer to the OAuth2 and OpenId Connect threat models for concrete details on the risks you'll incur in, however the frame busting logic should make the point moot.
来源:https://stackoverflow.com/questions/29378683/openidconnect-azure-website-hosted-in-an-iframe-within-dynamics-crm-online