问题描述

我使用IdentityServer3为SSO设置了几个测试站点，几乎是带有小病毒的cookie切割程序示例应用程序.它们运作良好，但有以下几点:当尝试单点注销和/或通过cookie更新声明时，仅当所有应用程序都在同一台计算机上时，它才有效.

I set up several test sites for SSO using IdentityServer3, pretty much the cookie cutter sample apps with minor virations. They work well except one thing: When trying to single sign OUT and/or update claims via cookie, it only works if all apps are on the same machine.

例如，这两个应用可以一次退出.

For example, these two apps can single sign out.

http://localhost:81
http://localhost:82

使用以下内容在一个应用程序中更新的索赔也显示在另一个应用程序中.

Claims updated in one app using the following also show up in the other.

        var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
        authenticationManager.AuthenticationResponseGrant = 
            new AuthenticationResponseGrant(new ClaimsPrincipal(identity), 
                 new AuthenticationProperties { IsPersistent = false });

如果我这样配置应用程序，它也可以工作:

It also works if I configure the apps like this:

http://mymachine/app1
http://mymachine/app2

但是如果我将两者混在一起

But if I mix the two

http://localhost:81
http://mymachine/app2

然后它将不起作用.也尝试过SignOut/SignIn，结果相同.他们仍然单点登录，但不能一起退出.索赔变更不会在其他方面显示.当然，如果我将应用程序部署到不同的服务器，也是如此.好像cookie更新是在本地计算机上发生的，而不是在IdSvr上发生的.

Then it won't work. Tried SignOut/SignIn too, same result. They still single sign on, but can't sign out together. Change in claims won't show in the other. Of course, same if I deploy the app to different servers. As if the cookies update happened at local machine, rather than on IdSvr.

有人暗示我错过了什么吗?谢谢.

Any hint what I missed? Thanks.

推荐答案

单点登录不可用，不幸的是，您在同一域中看到的行为有点像鲱鱼.

Single Sign Off is not available out of the box, unfortunately the behavior you were seeing when in the same domain was a bit of a red herring.

开箱即用，当您注销IdentityServer时，您的客户端应用程序只会在对IdentityServer发出新请求后才发现并注销自己(也许他们自己的应用程序cookie过期并去重新登录，或者也许他们试图请求令牌).

Out of the box, when you log out of IdentityServer, your client applications will only find out and log out themselves once they make a new request to IdentityServer (maybe their own application cookie expired and they went to re log in, or maybe they tried to request a token).

要实现单点登录，您的每个客户端应用程序都需要通过IdentityServer告知他们需要注销.可以使用前通道HTTP请求或通过会话管理.

To implement Single Sign Off each of your client applications need to have a way of being told by IdentityServer that they need to log out. This can be done using a front-channel HTTP request or by session management.

查看 IdentityServer退出支持文档，以获取有关如何进行操作的更多详细信息为此或查看 Brock Allen的帖子主题.

Check out the IdentityServer Signout Support documentation for more details on how to do this or check out Brock Allen's post on the subject.

这篇关于IdentityServer3，当应用程序位于另一台计算机上时无法更新cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！