Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态

Azure AD Authentication in Kubernetes Unable to unprotect the message.State(Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态)

本文介绍了Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个使用AzureAD B2C身份验证的DotNet核心MVC Web应用程序(通过OpenID Connect)。当我在本地主机上运行它时,它可以正常工作,但当我将解决方案部署到Kubernetes并尝试登录时,我收到以下错误:

Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
      An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Unable to unprotect the message.State.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)'

我已经设置了一个带有SSL的Nginx入口,它将流量转发到Kubernetes中的服务,因此它在集群中充当反向代理。

为了确保保留请求的原始主机名,我将以下内容添加到启动.cs中:

services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
                options.KnownNetworks.Clear();
                options.KnownProxies.Clear();
            });
app.UseForwardedHeaders();

以及将以下批注添加到我的入口

    nginx.ingress.kubernetes.io/proxy_http_version: "1.1"
    nginx.ingress.kubernetes.io/proxy_set_header: "Upgrade $http_upgrade"
    nginx.ingress.kubernetes.io/proxy_set_header: "Connection keep-alive"
    nginx.ingress.kubernetes.io/proxy_set_header: "Host $host"
    nginx.ingress.kubernetes.io/proxy_cache_bypass: "$http_upgrade"
    nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-For $proxy_add_x_forwarded_for"
    nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-Proto $scheme"
    nginx.ingress.kubernetes.io/proxy_buffers: "16 16k"
    nginx.ingress.kubernetes.io/proxy_buffer_size: "32k"

我还确保已在Azure中正确配置回复URL。

配置入口(Nginx)时是否遗漏了可能导致此问题的步骤?

推荐答案

我也遇到了同样的问题,添加数据保护解决了它:

        private void AddDataProtection(IServiceCollection services, IConfiguration configuration)
        {
            var serviceProvider = services.BuildServiceProvider();
            var kvClient = serviceProvider.GetRequiredService<IKeyVaultClient>();
            var vaultSettings = configuration.GetConfiguredSettings<VaultSettings>();
            var redisSettings = configuration.GetConfiguredSettings<RedisSettings>();
            var redisAccessKey = kvClient.GetSecretAsync(vaultSettings.VaultUrl, redisSettings.AccessKeySecretName).GetAwaiter().GetResult().Value;
            var connectionMultiplexer = ConnectionMultiplexer.Connect(new ConfigurationOptions()
            {
                EndPoints = { redisSettings.Endpoint },
                Password = redisAccessKey,
                Ssl = true,
                AbortOnConnectFail = false
            });
            var key = $"{env.ApplicationName}::{env.EnvironmentName}::DataProtection::Keys";
            Logger.LogInformation($"protect data using key={key}, cert='{redisSettings.ProtectionCertSecretName}'");
            var x509 = kvClient.GetX509CertificateAsync(vaultSettings.VaultUrl, redisSettings.ProtectionCertSecretName)
                .GetAwaiter().GetResult();
            services.AddDataProtection()
                .PersistKeysToRedis(connectionMultiplexer, key)
                .ProtectKeysWithCertificate(x509);
        }

这篇关于Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本文标题为:Kubernetes中的Azure AD身份验证无法取消对邮件的保护。状态

基础教程推荐