获取DiscoveryClient失败,其中"颁发者名称与权限不匹配"

时间:2017-04-26 06:50:16

标签: asp.net asp.net-core identityserver4

使用IdentityModel' s DiscoveryClient执行GET时,我收到以下错误,如下所示:

var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");
  

颁发者名称与权限不匹配:https://localhost/identityserver

目标URL是在使用IdentityServer4启用的IIS上运行的ASP.NET Core Web应用程序。客户端应用程序是在同一台计算机上运行的经典ASP.NET Web应用程序。

显然,GET确实设法从IdentityServer检索值,如discoveryResponse.Raw的内容所示:

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
  "token_endpoint": "https://localhost/IdentityServer/connect/token",
  "userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
  "end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
  "check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
  "revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
  "introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
  "claims_supported": [],
  "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
  "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
  "response_modes_supported": [ "form_post", "query", "fragment" ],
  "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
  "subject_types_supported": [ "public" ],
  "id_token_signing_alg_values_supported": [ "RS256" ],
  "code_challenge_methods_supported": [ "plain", "S256" ]
}

3 个答案:

答案 0 :(得分:15)

权限:https://localhost/IdentityServer 发行人:https://localhost/identityserver

它们不匹配 - 它区分大小写。

答案 1 :(得分:2)

在无法更改服务器代码以适合策略的情况下,可以更改策略设置以允许名称不匹配。

例如,我尝试在Azure Rest API上使用DiscoveryClient,并且issuerhttps://sts.windows.net/{{ tenant_id }},而端点都以https://login.microsoft.com/{{ tenant_id }}开头。

只需将字段ValidateIssuerNameValidateEndpoints设置为false。

var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);

// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;

var discoResponse = await discoveryClient.GetAsync();

答案 2 :(得分:1)

其他答案针对客户-使其接受小写发行人。

这会更改发现文档中发行者的大小写:

缺省情况下,Identity Server似乎将发行方Uri更改为小写。这导致发现文档对于发行者而言是小写的;以及您键入代码/发布其他所有内容的情况。

我在我的Identity Server应用程序Startup,ConfigureServices方法中解决了此问题

            var builder = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })

使用此方法意味着发现文档中发行者的情况与所有其他Uris相同。

相关问题
最新问题