OpenID provider on localhost with DotNetOpenAuth

2019-03-16 17:01发布

问题:

I have the DotNetOpenAuth sample provider running locally and it appears to correctly handle requests via the web browser. I can step through the handler for authorisation in the debugger.

I have a project which can authenticate with Google and other providers but fails with the sample provider. The sample provider never sees a request at all and the relying party throws an exception complaining No OpenID endpoint found.

Say I do the following in the relying party:

string providerURL = "http://localhost/openid/provider";

// Now try the openid relying party...
var openid = new OpenIdRelyingParty();
var response = openid.GetResponse();
if (response == null)
{
    Identifier id;
    if (Identifier.TryParse(providerURL, out id))
    {
        // The following line throws the exception without ever making
        // a request to the server.
        var req = openid.CreateRequest(providerURL);
        // Would redirect here...
    }
 }

I noticed that the UntrustedWebRequestHandler class prevent connections to hostnames such as localhost but adding it as a whitelisted host, as per the test cases or manually, doesn't seem to help.

I have checked the host is reachable with the following:

// Check to make sure the provider URL is reachable.
// These requests are handled by the provider.
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(providerURL);
HttpWebResponse httpRes = (HttpWebResponse)request.GetResponse();

Thoughts? I am at wits end as to why it never makes a request at all.

EDIT: localhost was whitelisted like so:

(openid.Channel.WebRequestHandler as UntrustedWebRequestHandler).WhitelistHosts.Add("localhost");

I've also tried whitelisting it by adding it to web.config like so:

<dotNetOpenAuth>
    <messaging>
        <untrustedWebRequest>
            <whitelistHosts>
                <add name="localhost"/>
            </whitelistHosts>
        </untrustedWebRequest>
    </messaging>
</dotNetOpenAuth>

Using either approach, localhost shows up in the UntrustedWebRequestHandler's list of whitelisted hosts when examined in the debugger. Their provider still doesn't receive any requests.

回答1:

It looks like you're already aware of the need to whitelist localhost for an RP in order to get it to work. But something else I became aware of recently is that IIS blocks ASP.NET web apps from performing HTTP GETs on themselves. It works for the Visual Studio Personal Web Server, but if your RP and OP are both hosted on IIS under localhost, then likely it's IIS that's blocking it. You can confirm or deny this by using your hand-written HttpWebRequest test from your IIS-hosted RP vs. a console app.

If they're both under IIS and that's the problem, then you should either use the Personal Web Server for your development, or perhaps separating the two sites on IIS in different app pools or something like that will help.