我正在使用 .NET 4.8 MVC 应用程序实现 Azure b2c。我们的流程使用 Cookie 身份验证和具有自定义流策略的本地用户帐户,效果非常好。
问题是我在注销 azure b2c 时遇到问题。目前我正在本地测试,用户单击“注销”按钮。退出按钮会清除本地数据,然后重定向到通过此文档的链接。
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect?ref=blog.bajonczak.com#send-a-sign-out-request
该链接似乎工作成功,但当我单击浏览器中的“后退”按钮时,用户仍然通过 B2C 进行身份验证。
谁能告诉我这是否是退出 B2C 的正确方法?
通过启动登录代码
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebChunkingCookieManager(),
CookieName = "MyPortal.AuthCookie",
CookieSameSite = Microsoft.Owin.SameSiteMode.Lax,
CookieSecure = CookieSecureOption.Always,
CookieHttpOnly = true,
CookiePath = Globals.ApplicationRelativePath
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.TenantId, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.PostLogoutRedirectUri,
UseTokenLifetime = true,
// Add the ProtocolValidator property here
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = OnSecurityTokenValidated
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "extension_Role",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}",
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager(),
}
);
}
注销功能 - 添加了 OWIN 注销以进行额外检查,但无论如何它都会执行相同的操作
public ActionResult LogOff()
{
//Log out through OWIN
IEnumerable<AuthenticationDescription> authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
Request.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
//Expire cookie
if (Request.Cookies["MyPortal.AuthCookie"] != null)
{
HttpCookie authCookie = new HttpCookie("MyPortal.AuthCookie");
authCookie.Expires = DateTime.Now.AddDays(-1d);
Response.Cookies.Add(authCookie);
}
try
{
AccountManager accountManager = new AccountManager();
accountManager.LogOff();
var RequestUri = new System.Uri(Globals.AadLogoutUrl);
return Redirect(RequestUri.ToString());
}
catch
{
throw;
}
}
最后 - 我的RequestURI
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{flow}/oauth2/v2.0/logout?post_logout_redirect_uri={redirectURI}
这可能是两件事之一。
尽管您已使 cookie 失效,但服务器上可能仍存在内存中会话。
在注销操作中,清除会话以将其从内存中删除。
Session.Clear()
当您单击后退按钮时,根据您使用的浏览器,您可能只会显示缓存的内容。这可能看起来好像您已登录,但刷新页面或重新输入您的网络应用程序的地址通常会产生不同的结果。
您的注销后重定向 URI 应始终设置为控制器上的干净状态路由或操作。例如,到注销后 https://your-app.com/signedOut,您可以在其中重定向到主页,并可以选择显示注销消息几秒钟。