在IdentityServer3 Flows.ClientCredentials中的response.Error“Forbidden”

时间:2017-03-15 07:04:19

标签: c# openid access-token identityserver3 client-certificates

我在IdentityServer3中有一个客户端

new Client
{
    ClientName = "Client Credentials Flow Client With Certificate",
    Enabled = true,
    ClientId = "cc.WithCertificate",
    Flow = Flows.ClientCredentials,

    ClientSecrets = new List<Secret>
        {
            new Secret
            {
                Value = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29",
                Type = Constants.SecretTypes.X509CertificateThumbprint,
                Description = "Client Certificate"
            },
        },

    AllowedScopes = new List<string>
        {
            "read"
        }
},

在客户端Windows窗体应用程序中,我使用从URL https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Clients/ClientCertificateConsoleClient/Client.pfx下载的“Client.pfx”

客户证书有ThumbPrint 

Thumbprint = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29"

客户端代码

var cert = new X509Certificate2("Client.pfx");

var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);

string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];

var client = new TokenClient(
    tokenEndPoint,
    "cc.WithCertificate",
    handler);

// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;

我按照https://identityserver.github.io/Documentation/docsv2/advanced/clientCerts.html

中的说明进行了配置 
<location path="core/connect/token">
  <system.webServer>
    <security>
      <access sslFlags="Ssl, SslNegotiateCert" />
    </security>
  </system.webServer>
</location>

最初它给了我Internal Server Error,之后我将以下模式更改为“ Allow

文件路径:C:\Windows\System32\inetsrv\config\applicationHost.config 

<section name="access" overrideModeDefault="Deny" />


<section name="access" overrideModeDefault="Allow" />

稍后它的响应将出现错误状态代码:response.Error ="Forbidden"

这里我附上了响应对象的快照

enter image description here

请帮助我解决此问题并使用ClientCertificate获取AccessToken。

1 个答案:

答案 0 :(得分:0)

您正在使用&#34; Client.pfx &#34;客户端的证书和您通过HTTP Request将其传递给IdentityServer。

上述证书有一个根证书即#34; DevRoot &#34;,它应该在所述Trusted Root Certification Authorities中,否则 IIS < / strong>不应该允许请求并返回状态代码 403 Forbidden

请查看快照,并显示&#34; Client.pfx &#34;

的信息

enter image description here

因此,请确保&#34; DevRoot &#34;已安装在&#34; Trusted Root Certification Authorities&#34;

enter image description here

如果没有,请下载&#34; DevRoot.cer &#34;并在所述路径中导入相同的内容(即Trusted Root Certification Authorities)。

DevRoot.cer下载网址:https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Certificates/DevRoot.cer

相关问题
最新问题