IdentityServer - 使用混合流

Question

我实现了IdentityServer3并尝试将其与我的新ASP.NET Core MVC应用程序一起使用。

我想使用混合流程，但我似乎没有让它发挥作用。

IdentityServer3上的我的客户端设置如下：

new Client
{
    ClientName = "Test",
    ClientId = "Test",
    ClientUri = "http://localhost:59528/",
    Flow = Flows.Hybrid,
    AllowedScopes = new List<string>()
    {
        Constants.StandardScopes.OpenId,
        Constants.StandardScopes.Profile
    },
    RedirectUris = new List<string>
    {
        "http://localhost:59528/signin-oidc",
    },
    PostLogoutRedirectUris = new List<string>
    {
        "http://localhost:59528/",
    },
    Enabled = true
}

ASP.NET Core MVC应用程序设置如下：

public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory, IConfigurationService configurationService, ApplicationDbContextSeedData seeder)
{
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    /* Logging Configuration */
    loggerFactory.AddConsole();
    if (_environment.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        loggerFactory.AddDebug(LogLevel.Information);
    }
    else
    {
        loggerFactory.AddDebug(LogLevel.Error);
    }

    /* Identity Server Configuration */
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationScheme = "Cookies",
        AutomaticAuthenticate = true
    });
    app.UseOpenIdConnectAuthentication(configurationService.GetOpenIdConnectOptions());

    /* MVC Route Configuration */
    app.UseStaticFiles();
    app.UseMvc(ConfigureRoutes);

    /* Database Configuration */
    seeder.EnsureSeedData().Wait();
}

以下是我在 GetOpenIdConnectOption 方法中阅读的选项：

"OpenIdConnectOptions": {
    "AuthenticationScheme": "oidc",
    "SignInScheme": "Cookies",
    "Authority": "http://localhost:7506/",
    "RequireHttpsMetadata": "false",
    "PostLogoutRedirectUri": "http://localhost:59528/",
    "ClientId": "Test",
    "ResponseType": "code id_token token",
    "GetClaimsFromUserInfoEndpoint": "true",
    "SaveTokens": "true",
    "Scopes": [ "openid", "profile" ]
}

通过这个设置，我被重定向到IdentityServer，我可以登录，在我允许我的应用程序之后，我被重定向到我的ASP.NET Core MVC应用程序上的错误页面，并出现以下错误：

http://localhost:59528/signin-oidc
HttpRequestException: Response status code does not indicate success: 400 (Bad Request).

如果我更改了某些设置（将ClientSecret添加到服务器和客户端并更改流量），我设法使用Implicit Flow，但我更喜欢混合流程。

有人知道我做错了吗？

修改 我改变了一些东西（为客户端和服务器增加了秘密），现在我从IdentityServer3获得了以下日志。似乎一切都很好。

2016-08-29 06:49:44,791 [18] INFO  IdentityServer3.Core.Endpoints.AuthorizeEndpointController Resuming from consent, restarting validation
2016-08-29 06:49:44,792 [18] INFO  IdentityServer3.Core.Validation.AuthorizeRequestValidator Start authorize request protocol validation
2016-08-29 06:49:44,805 [25] INFO  IdentityServer3.Core.Validation.AuthorizeRequestValidator Authorize request validation success
 {
  "ClientId": "Test",
  "ClientName": "Test",
  "RedirectUri": "http://localhost:59528/signin-oidc",
  "AllowedRedirectUris": [
    "http://localhost:59528/signin-oidc"
  ],
  "SubjectId": "...",
  "ResponseType": "code id_token token",
  "ResponseMode": "form_post",
  "Flow": "Hybrid",
  "RequestedScopes": "openid profile email",
  "State": "...",
  "Nonce": "...",
  "SessionId": "...",
  "Raw": {
    "client_id": "Test",
    "redirect_uri": "http://localhost:59528/signin-oidc",
    "response_type": "code token id_token",
    "scope": "openid profile email",
    "response_mode": "form_post",
    "nonce": "...",
    "state": "..."
    }
}
2016-08-29 06:49:44,808 [20] INFO  IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator Creating Hybrid Flow response.
2016-08-29 06:49:44,812 [15] INFO  IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator Creating Implicit Flow response.
2016-08-29 06:49:44,813 [15] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating access token
2016-08-29 06:49:44,814 [15] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating JWT access token
2016-08-29 06:49:44,865 [15] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating identity token
2016-08-29 06:49:44,866 [15] INFO  IdentityServer3.Core.Services.Default.DefaultClaimsProvider Getting claims for identity token for subject: 88010bab-091e-4095-8f5d-ac89a3fd9198
2016-08-29 06:49:44,920 [10] INFO  IdentityServer3.EntityFramework.TokenCleanup Clearing tokens
2016-08-29 06:49:44,983 [15] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating JWT identity token
2016-08-29 06:49:45,035 [15] DEBUG IdentityServer3.Core.Endpoints.AuthorizeEndpointController Adding client virtualmoney to client list cookie for subject 88010bab-091e-4095-8f5d-ac89a3fd9198
2016-08-29 06:49:45,037 [15] INFO  IdentityServer3.Core.Results.AuthorizeFormPostResult Posting to http://localhost:59528/signin-oidc
2016-08-29 06:49:45,038 [15] DEBUG IdentityServer3.Core.Results.AuthorizeFormPostResult Using DefaultViewService to render authorization response HTML
2016-08-29 06:49:45,179 [18] INFO  IdentityServer3.Core.Endpoints.TokenEndpointController Start token request
2016-08-29 06:49:45,180 [18] DEBUG IdentityServer3.Core.Validation.ClientSecretValidator Start client validation
2016-08-29 06:49:45,181 [18] DEBUG IdentityServer3.Core.Validation.BasicAuthenticationSecretParser Start parsing Basic Authentication secret
2016-08-29 06:49:45,182 [18] DEBUG IdentityServer3.Core.Validation.PostBodySecretParser Start parsing for secret in post body
2016-08-29 06:49:45,183 [18] DEBUG IdentityServer3.Core.Validation.SecretParser Parser found secret: PostBodySecretParser
2016-08-29 06:49:45,184 [18] INFO  IdentityServer3.Core.Validation.SecretParser Secret id found: virtualmoney
2016-08-29 06:49:45,188 [24] DEBUG IdentityServer3.Core.Validation.SecretValidator Secret validator success: HashedSharedSecretValidator
2016-08-29 06:49:45,189 [24] INFO  IdentityServer3.Core.Validation.ClientSecretValidator Client validation success
2016-08-29 06:49:45,190 [24] INFO  IdentityServer3.Core.Validation.TokenRequestValidator Start token request validation
2016-08-29 06:49:45,191 [24] INFO  IdentityServer3.Core.Validation.TokenRequestValidator Start validation of authorization code token request
2016-08-29 06:49:45,218 [22] INFO  IdentityServer3.Core.Validation.TokenRequestValidator Validation of authorization code token request success
2016-08-29 06:49:45,220 [22] INFO  IdentityServer3.Core.Validation.TokenRequestValidator Token request validation success
 {
  "ClientId": "Test",
  "ClientName": "Test",
  "GrantType": "authorization_code",
  "AuthorizationCode": "...",
  "Raw": {
    "client_id": "Test",
    "client_secret": "******",
    "code": "...",
    "grant_type": "authorization_code",
    "redirect_uri": "http://localhost:59528/signin-oidc"
  }
}
2016-08-29 06:49:45,221 [22] INFO  IdentityServer3.Core.ResponseHandling.TokenResponseGenerator Creating token response
2016-08-29 06:49:45,223 [22] INFO  IdentityServer3.Core.ResponseHandling.TokenResponseGenerator Processing authorization code request
2016-08-29 06:49:45,225 [22] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating access token
2016-08-29 06:49:45,227 [22] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating JWT access token
2016-08-29 06:49:45,300 [22] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating identity token
2016-08-29 06:49:45,302 [22] INFO  IdentityServer3.Core.Services.Default.DefaultClaimsProvider Getting claims for identity token for subject: 88010bab-091e-4095-8f5d-ac89a3fd9198
2016-08-29 06:49:45,405 [22] DEBUG IdentityServer3.Core.Services.Default.DefaultTokenService Creating JWT identity token
2016-08-29 06:49:45,486 [22] INFO  IdentityServer3.Core.Endpoints.TokenEndpointController End token request

但是现在我从IdentityServer3重定向后在我的客户端上出现了这个错误：

OpenIdConnectProtocolException: IDX10300: The hash claim: '...' in the id_token did not validate with against