Question

我想找出OAuth2.0，OIDC1.0和IdentityServer4。我已经设置了一个测试MVC Core客户端，只请求了“openid”范围。但不知何故，OpenIdConnnect中间件不断向所请求的范围添加“profile”范围。 “profile”是强制性范围吗？我应该启用吗？或者我在这里做错了什么？我很感激任何意见。

IdSrv资源：

_identityResources = new List<IdentityResource>
            {
                new IdentityResources.OpenId(),
                new IdentityResource
                {
                    Name = "test_user",
                    UserClaims = new[] { "test_user.email" }
                }
            };

            _apiResources = new List<ApiResource>
            {
                new ApiResource
                {
                    Name = "test_api",
                    Scopes =
                    {
                        new Scope()
                        {
                            Name = "test_api.account.create",
                            UserClaims = new[] { "test_api.account.create" }
                        }
                    }
                }
            };

IdSrv客户端配置：

new Client
                {
                    ClientId = "client.mvcx",
                    ClientName = "MVC Core Client",
                    AllowedGrantTypes = GrantTypes.Hybrid,
                    AllowAccessTokensViaBrowser = false,

                    ClientSecrets =
                    {
                        new Secret("secret".Sha256())
                    },

                    RedirectUris = { Common.Addresses.Client + "/signin-oidc" },
                    PostLogoutRedirectUris = { Common.Addresses.Client },
                    LogoutUri = Common.Addresses.Client + "/signout-oidc",

                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId
                    },
                    AllowOfflineAccess = false,
                    RequireConsent = false,

                    AlwaysIncludeUserClaimsInIdToken = true

                },

MVC客户端：

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationScheme = "cookies",
                AutomaticAuthenticate = true,
                ExpireTimeSpan = TimeSpan.FromMinutes(60)
            });

            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

            app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
            {
                AuthenticationScheme = "oidc",
                SignInScheme = "cookies",

                Authority = Common.Addresses.IdSrv,
                RequireHttpsMetadata = false,

                ClientId = "client.mvcx",
                ClientSecret = "secret",

                ResponseType = "code id_token",
                Scope = { "openid" },

                SaveTokens = true,

                TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                {
                    NameClaimType = IdentityModel.JwtClaimTypes.Name,
                    RoleClaimType = IdentityModel.JwtClaimTypes.Role,
                },

IdSrv错误：

info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
fail: IdentityServer4.Validation.ScopeValidator[0]
      Invalid scope: profile
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      Request validation failed
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      {
        "ClientId": "client.mvcx",
        "ClientName": "MVC Core Client",
        "RedirectUri": "http://localhost:32579/signin-oidc",
        "AllowedRedirectUris": [
          "http://localhost:32579/signin-oidc"
        ],
        "SubjectId": "anonymous",
        "ResponseType": "code id_token",
        "ResponseMode": "form_post",
        "GrantType": "hybrid",
        "RequestedScopes": "openid profile",
...

Answer 1

#next_campaign会自动请求OpenIdConnectionOptions和openid范围（请参阅source code），并在profile媒体资源上使用私人设定者。

当您设置范围时，您没有设置新列表，而是添加到现有列表。

清除然后添加范围有效：

Scope

OpenIdConnect中间件不断向请求添加“配置文件”范围

1 个答案: