Thinktecture“insufficient_scope”错误。单一范围声明与范围列表

时间:2015-05-21 19:14:47

标签: openid thinktecture-ident-server identityserver3

我确信答案是显而易见的,但此刻它正在躲避我。

当我的代码尝试调用/ connect / userinfo并且消息为“insufficient_scope”时,我得到403.

https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L153

上面是检查JWT中范围声明的代码行,并希望找到值为“openid”以使/ connect / userinfo端点工作。

在我的JWT中,如果它有类似的东西:

"scope": "openid"

...然后端点很好。相反,如果我有:

"scope": ["openid", "email", "profile"]

......然后就失败了。

我是否应该从未拥有范围声明的列表/数组?也许我错过了某处的配置设置?

使用代码更新

对不起。当然,代码会使问题更加清晰。

客户端商店

    public ClientStore()
    {
        _clients = new List<Client>
        {
            new Client
            {
                AlwaysSendClientClaims = true,
                RequireConsent = false,
                Enabled = true,
                ClientName = @"MVC Client",
                ClientId = @"mvc",
                PostLogoutRedirectUris = new List<string>
                {
                    "http://localhost:8080/index.html"
                },
                RedirectUris = new List<string>
                {
                    "http://localhost:8080/loginCallback.html"
                }
            }
        };
    }

范围商店

    public ScopeStore()
    {
        var scopes = new List<Scope>
        {
            StandardScopes.OpenId,
            StandardScopes.Profile,
            StandardScopes.Email,
            StandardScopes.Address,
            StandardScopes.AllClaims,
            StandardScopes.RolesAlwaysInclude
        };

        _scopes = scopes;
    }

Startup.cs

        var certFile = env.ApplicationBasePath + "/cert.pfx";

        app.Map("/core", core =>
        {
            var factory = new IdentityServerServiceFactory();

            var configuration = new Configuration();
            configuration.AddJsonFile("config.json");

            var userService = new EndUserService(configuration.Get("ConnectionString"));
            factory.UserService = new Registration<IUserService>(resolver => userService);

            var scopeStore = new ScopeStore();
            factory.ScopeStore = new Registration<IScopeStore>(resolver => scopeStore);

            var clientStore = new ClientStore();
            factory.ClientStore = new Registration<IClientStore>(resolver => clientStore); 

            var cert = new X509Certificate2(certFile, "test");

            var idsrvOptions = new IdentityServerOptions
            {
                CorsPolicy = CorsPolicy.AllowAll,
                Factory = factory,
                RequireSsl = false,
                SigningCertificate = cert,
                LoggingOptions = new LoggingOptions() {
                    EnableWebApiDiagnostics = true,
                    EnableHttpLogging = true
                }
            };

            core.UseIdentityServer(idsrvOptions);
        });

的login.html

var config = {
    client_id: "mvc",
    redirect_uri: "http://localhost:8080/loginCallback.html",
    response_type: "id_token token",
    scope: "openid email profile",
    authority: "http://localhost:44319/core",
    post_logout_redirect_uri: "http://localhost:8080/index.html"
};
var mgr = new OidcTokenManager(config);

更新#2

拍摄,这是Mono对Windows的事情。在Windows中工作正常,单声道打破。显然已知问题:https://github.com/IdentityServer/IdentityServer3/issues/1373#issuecomment-104756822

2 个答案:

答案 0 :(得分:3)

事实证明,微软的JWT图书馆如何解释JWT声称存在一个错误。这里描述:https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/153

等待接受拉取请求或以其他方式解决问题。

答案 1 :(得分:0)

看起来您正在请求Identity Server实现中客户端配置中未启用的范围。

你应该有一个有客户的班级,他们的ScopeRestrictions类似this。您需要将电子邮件和配置文件范围添加到此范围列表中。