SSL设备背后的DotNetOpenAuth RP失败

Question

我很难让DNOA RP在SSL设备后面工作(终止客户端HTTPS连接，并向背后的SSL服务器反向代理HTTP )。

问题是RP不正确地猜测来自传入请求的接收端点(因为它在到达webserver时不是HTTPS )，并将端点与return_to url上的方案(即HTTPS)进行比较--它在下面的堆栈跟踪中失败。我已经在代码中搜索了一下，而且我看不到在没有自定义构建或非平凡子类的情况下改变这种行为的方法。我已经将领域的HTTPS版本和ReturnToUrl传递给了OpenIdRelyingParty.CreateRequests()- -这个部分运行良好。

是否有可能将检测到的接收方方案伪造为HTTPS或跳过对股票DNOA构建的方案比较，或者我明天是否正在修补自定义构建？

堆栈跟踪：

ERROR DotNetOpenAuth.Messaging - 09 Jul 2010 00:11:39,450 - Protocol error: The openid.return_to parameter (https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX) does not match the actual URL (http://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.ns=http://specs.openid.net/auth/2.0&openid.mode=id_res&openid.op_endpoint=XXX&openid.response_nonce=XXX&openid.return_to=https://XXX/Login.aspx?openid=XXX&dnoa.userSuppliedIdentifier=XXX&openid.assoc_handle=XXX&openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle&openid.sig=XXX&openid.identity=XXX&openid.claimed_id=XXX) the request was made with.
 at DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(Boolean condition, String message, Object[] args)
 at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.VerifyReturnToMatchesRecipient()
 at DotNetOpenAuth.OpenId.Messages.IndirectSignedResponse.EnsureValidMessage()
 at DotNetOpenAuth.Messaging.MessageSerializer.Deserialize(IDictionary`2 fields, MessageDictionary messageDictionary)
 at DotNetOpenAuth.Messaging.Reflection.MessageDictionary.Deserialize(IDictionary`2 fields)
 at DotNetOpenAuth.Messaging.Channel.Receive(Dictionary`2 fields, MessageReceivingEndpoint recipient)
 at DotNetOpenAuth.Messaging.Channel.ReadFromRequestCore(HttpRequestInfo request)
 at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest)
 at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo)
 at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse()

Answer 1

DotNetOpenAuth在将这些特殊的headers添加到转发的HTTP请求：X_FORWARDED_PROTO和/或HTTP_HOST时，内置了对SSL设备的支持。当这些都存在时，外部URL的自动检测是正确的.如果您可以将SSL设备配置为这样做，这可能是最好的选择。

另一种方法是调用OpenIdRelyingParty.GetResponse(HttpRequestInfo)，而不是不接受参数的重载。您自己使用您所知道的真正的面向外部的HttpRequestInfo来构造这个URL。然后，DotNetOpenAuth内部的URL匹配逻辑不会导致请求失败。