我有一个部署到Kubernetes集群的ASP.NET Core 2.0 Web应用程序 . 该应用程序使用Azure AD对某些受保护的页面进行身份验证 . Kubernetes集群设置了Nginx入口控制器,Let's加密以支持https .
我可以毫无问题地访问https://x.eastus.cloudapp.azure.com,点击我指向https://x.eastus.cloudapp.azure.com/link的网站上的链接,也没有问题 .
但是,当我点击一个需要登录用户的链接时,我得到:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply address 'http://x.eastus.cloudapp.azure.com/signin-oidc' does not match the reply addresses configured for the application: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'. More details: not specified
请注意,上面的URL错过了https,这就是问题所在 .
我已将“https://x.eastus.cloudapp.azure.com/signin-oidc”注册为Azure AD中应用程序的回复URL .
但是,我不明白为什么登录时使用的回复网址缺少https .
如果我将完全相同的应用程序部署到Azure Web App,我不会遇到此问题 .
可能是什么问题?
这是我的Ingress YAML文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: x-ingress
annotations:
kubernetes.io/ingress.class: nginx
# Add to generate certificates for this ingress
kubernetes.io/tls-acme: 'true'
spec:
rules:
- host: x.eastus.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: x-service
servicePort: 80
tls:
# With this configuration kube-lego will generate a secret called `x-tls-secret`
# for the URL `x.eastus.cloudapp.azure.com`
- hosts:
- "x.eastus.cloudapp.azure.com"
secretName: x-tls-secret
我在Startup.cs中有以下代码:
public void ConfigureServices(IServiceCollection services)
{
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseForwardedHeaders();
app.UseStaticFiles();
app.UseAuthentication();
}
1 回答
在Configure方法中添加自定义中间件以执行手动http-https重定向