我有一个web api / mvc混合应用程序,我已将其配置为使用cookie身份验证.这适用于应用程序的mvc部分. web api确实强制执行授权,但不返回401 – Unauthorized它返回302 – Found并重定向到登录页面.我宁愿它返回401.我试图挂钩到CookieAuthenticationProvider.OnApplyRedirect委托,但似乎没有调用.我错过了什么?我目前的设置如下:
AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject; JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string,string>(); app.UseCookieAuthentication(new CookieAuthenticationoptions { AuthenticationType = "Cookies",ExpireTimeSpan = TimeSpan.FromMinutes(20),SlidingExpiration = true,CookieHttpOnly = true,CookieSecure = CookieSecureOption.Never,//local non ssl-dev only Provider = new CookieAuthenticationProvider { OnApplyRedirect = ctx => { if (!IsAjaxRequest(ctx.Request)) { ctx.Response.Redirect(ctx.RedirectUri); } } } }); app.USEOpenIdConnectAuthentication(new OpenIdConnectAuthenticationoptions { Authority = IdentityConfig.Authority,ClientId = IdentityConfig.softwareClientId,Scope = "openid profile roles",RedirectUri = IdentityConfig.RedirectUri,ResponseType = "id_token",SignInAsAuthenticationType = "Cookies" });
解决方法
在您的示例中,UseCookieAuthentication不再对此进行控制,而是使用USEOpenIdConnectAuthentication.这涉及使用Notifications属性并拦截OpenID Connect身份验证请求.
尝试以下灵感:
app.USEOpenIdConnectAuthentication(new OpenIdConnectAuthenticationoptions { Authority = IdentityConfig.Authority,SignInAsAuthenticationType = "Cookies",Notifications = new OpenIdConnectAuthenticationNotifications { RedirectToIdentityProvider = notification => { if (notification.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest) { if (IsAjaxRequest(notification.Request) && notification.Response.StatusCode == (int)HttpStatusCode.Unauthorized) { notification.Response.StatusCode = (int)HttpStatusCode.Unauthorized; notification.HandleResponse(); return Task.Fromresult(0); } } return Task.Fromresult(0); } } });
