Identity Server 4在当前主体上找到的范围:""

时间:2017-03-27 20:34:17

标签: api implicit identityserver4

我尝试在授予对API的访问权限之前使用Identity Server 4对用户进行身份验证。我正在使用Implicit配置,因为前端是Ember JS应用程序。我已经能够登录,显示同意屏幕,然后导航到redirectUri。但是,只要将承载令牌发送到API,我就会返回403。

我能够在返回403之前在日志中找到它,表明没有为当前原则指定任何范围。但是我还没有发现其他人报告同样的问题,所以我不确定我做错了什么。

任何帮助都将不胜感激。

API日志

2017-03-27 15:24:35.358 -05:00 [Information] Request starting HTTP/1.1 GET http://localhost:55026/incentives/api/categories application/json 
    2017-03-27 15:24:36.035 -05:00 [Information] Successfully validated the token.
    2017-03-27 15:24:36.046 -05:00 [Information] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: "Bearer".
    2017-03-27 15:24:36.048 -05:00 [Information] AuthenticationScheme: "Bearer" was successfully authenticated.
    2017-03-27 15:24:36.051 -05:00 [Information] Scopes found on current principal: ""
    2017-03-27 15:24:36.053 -05:00 [Warning] Scope validation failed. Return 403
    2017-03-27 15:24:36.059 -05:00 [Debug] Connection id ""0HL3L9SNQEILQ"" completed keep alive response.
    2017-03-27 15:24:36.060 -05:00 [Information] Request finished in 702.0523ms 403  

new Client
            {
                ClientName = "IncentivesClient",
                ClientId = "IncentivesClient",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                RedirectUris = new List<string>
                {
                    "http://localhost:4200/authorized"
                },
                PostLogoutRedirectUris = new List<string>
                {
                    "http://localhost:4200/unauthorized"
                },
                AllowedCorsOrigins = new List<string>
                {
                    "http://localhost:4200"
                },
                AllowedScopes = new List<string>
                {
                    StandardScopes.OpenId,
                    StandardScopes.Email,
                    StandardScopes.Profile,
                    "incentiveRecords",
                    "incentiverecordsscope",
                }
            }

这是API设置

IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
        {
            Authority = "https://localhost:44357",
            RequireHttpsMetadata = true,
            AllowedScopes = new List<string> { "incentiveRecords" },
            ApiSecret = "incentiveRecordsSecret",
            ApiName = "incentiveRecords",
            AutomaticAuthenticate = true,
            SupportedTokens = SupportedTokens.Both,
            AuthenticationScheme = "Bearer",
            SaveToken = true,
            ValidateScope = true,
            // TokenRetriever = _tokenRetriever,
            // required if you want to return a 403 and not a 401 for forbidden responses
            AutomaticChallenge = true,
        };

1 个答案:

答案 0 :(得分:0)

我发现为OATH2实现自己的torii提供程序的示例已经指示在响应参数中包含'id_token'和'token',这是合理的,因为它们是我的Implicit配置中使用的响应类型。为了增加混淆,id_token和token都是在promise之后成功获取值。它确实困扰我,他们是相同的,当我解码它们时,观众被设置为客户端而不是包括资源服务器。因此,超级简单的答案是将“令牌”响应参数更改为“access_token”。现在我能够从promise中获取正确的令牌,然后继续在Auth头中使用它。希望这可以帮助其他人。