问题描述
我有一个ASP.NET Core Web App,并且我想使用Azure AD身份验证.我已经全部设置好并在本地工作,但是当我将其部署到Service Fabric实例时,内部API调用会出错,因为它试图再次登录API调用.
I have an ASP.NET Core Web App, and I want to use Azure AD authentication. I've got it all set up and working locally, but when I deploy it to my Service Fabric instance, I'm getting errors on internal API calls, because it attempts to login again on the API call.
经过一番挖掘,我发现默认情况下,机器密钥用于加密cookie.我的SF实例运行着多台计算机,这似乎是罪魁祸首(不同的计算机无法读取相同的cookie,因此认为我没有经过身份验证).
After some digging, I discovered that by default, the Machine Key is used to encrypt the cookie. My SF instance has multiple machines running, which seems to be the culprit (different machines cannot read the same cookie, therefore, thinks I am not authenticated).
有没有一种方法可以使AAD cookie身份验证在计算机之间使用相同的密钥?
Is there a way to get the AAD cookie authentication to use the same key between machines?
这是我目前在ConfigureServices通话中所拥有的:
This is what I currently have in my ConfigureServices call:
services.AddDataProtection()
.SetApplicationName("my-app")
.ProtectKeysWithCertificate("my-thumbprint")
.PersistKeysToFileSystem(new DirectoryInfo("dp-keys"));
但是这似乎仍然行不通-每台机器上仍会生成一个不同的密钥.目前,我还没有办法在所有机器之间共享文件-这是唯一的解决方案,还是还有其他解决方案?
But this still doesn't seem to work - a different key is still generated on each machine. At the moment, I don't have a way to share a file between all the machines - would that be the only solution, or would there be something else as well?
推荐答案
由于我们使用的是服务结构,因此您已经正确部署了群集可以使用的证书.否则,您将必须添加证书.
Since we are on service fabric, you properly already have a cert deployed that your cluster can use. Otherwise you would have to add a certificate.
然后您可以执行以下操作:
Then you can do the following:
var cert = X509.LocalMachine.My.Thumbprint.Find("C03BB5A6410741CDD2927B4FF88C3E67215A393B", validOnly: false).FirstOrDefault();
services.AddApplicationStorageDataProtection(_container, cert);
和
public static IServiceCollection AddApplicationStorageDataProtection(this IServiceCollection services, IUnityContainer container, X509Certificate2 cert )
{
if (container != null)
{
try
{
var storage = container.Resolve<IApplicationStorageService>();
var token = storage.GetApplicationStorageSharedAccessSignature().GetAwaiter().GetResult();
var name = storage.GetApplicationStorageAccountNameAsync().GetAwaiter().GetResult();
var a = new CloudStorageAccount(new StorageCredentials(token), name, null, true);
var c = a.CreateCloudBlobClient().GetContainerReference("dataprotection");
c.CreateIfNotExists();
services.AddDataProtection()
.ProtectKeysWithCertificate(cert)
.PersistKeysToAzureBlobStorage(c.GetBlockBlobReference("dummy.csrf"));
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
throw;
}
}
return services;
}
您必须根据自己的需要更改代码.此处提供的代码使用的是群集中已部署的存储服务,因此我不需要管理所有应用程序中存储的凭据,而只需向存储服务索取凭据,并且统一容器就在那里,因为这是我正在使用的底层DI框架.
You would of cause have to change the code to your needs. The code provided here is using a deployed storage service in the cluster, such I dont need to manage credentials for storage in all my applications, but simply can ask the storage service for the credentials, and also the unity container is just there because this is the underlying DI framework that i am using.
所以您需要的部分是:
services.AddDataProtection()
.ProtectKeysWithCertificate(cert)
.PersistKeysToAzureBlobStorage(c.GetBlockBlobReference("dummy.csrf"));
这篇关于Azure AD,ASP.NET Core Web App和Service Fabric:如何使身份验证在多台计算机上工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!