客户端凭据流

时间:2017-05-25 13:34:10

标签: oauth-2.0 access-token identityserver4

我在客户端凭据流的访问令牌请求中收到invalid_scope错误。错误日志指出"无法在客户端凭据流中请求OpenID范围"。我没有要求开放id范围。我不知道它来自哪里。我需要使用客户端凭据流生成访问令牌。

问题/重现问题的步骤

API资源定义。

public IEnumerable GetApiResources()
{
    return new List {
        new ApiResource
        {
            Name = "WidgetApi",
            DisplayName = "Widget Management API",
            Description = "Widget Management API Resource Access",
            ApiSecrets = new List { new Secret("scopeSecret".Sha256()) },
            Scopes = new List {
                new Scope("WidgetApi.Read"),
                new Scope("WidgetApi.Write")
            }
        }
     };
}

客户定义;

return new List
{
    new Client
    {
        ClientId = "WidgetApi Client Id",
        ClientName = "WidgetApi Client credential",
        RequireConsent = false,
        AllowedGrantTypes = GrantTypes.ClientCredentials,
        ClientSecrets =
        {
            new Secret( clientSecret.Sha256())
        },
       // scopes that client has access to
       AllowedScopes = { "WidgetApi.Read", "WidgetApi.Write"},
       AccessTokenLifetime = 3600
   };
}

使用邮递员访问令牌请求正文(键 - 值)

grant_type  client_credentials
response_type  id_token
scope  WidgetApi.Read WidgetApi.Write
client_secret  xxxxxxxxxxxxxxxxxxxxxx
client_id  WidgetApiClientId

日志文件的相关部分

dbug: Microsoft.EntityFrameworkCore.Storage.Internal.SqlServerConnection[4]
Closing connection to database 'IdentityServer4Db' on server 'localhost\SQLEXPRESS'.
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found PssUserMgtApi.Read, PssUserMgtApi.Write API scopes in database
fail: IdentityServer4.Validation.TokenRequestValidator[0]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cannot request OpenID scopes in client credentials flow
fail: IdentityServer4.Validation.TokenRequestValidator[0]

{
        "ClientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "ClientName": "xxxxxxxxxxxxxxxxxxxxxxxxx",
        "GrantType": "client_credentials",
        "Scopes": "xxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
        "Raw": {
            "grant_type": "client_credentials",
            "response_type": "id_token",
            "scope": "xxxxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
            "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
 }

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 5292.2873ms 400 application/json
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HL51IVGKG792" completed keep alive response.

5 个答案:

答案 0 :(得分:0)

检查您的客户凭据详细信息是否正确。您还可以找到此简单的分步说明,以使用此link

配置客户端证书流

答案 1 :(得分:0)

如果遇到此问题,只需在ClientScopes的数据库中删除给定客户端的“ openid”作用域。

答案 2 :(得分:0)

由于在客户端凭据流中没有标记用户,因此通常情况下,客户端凭据并不打算为其添加范围,并且许多框架都不支持它。

https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/说:

范围(可选): 您的服务可以支持客户端凭据授予的不同范围。 实际上,实际上没有多少服务支持此功能。

答案 3 :(得分:0)

实际上问题已经包含答案:

  

grant_type client_credentials
   response_type id_token
  作用域WidgetApi.Read WidgetApi.Write
  client_secret xxxxxxxxxxxxxxxxxxxxxx
  client_id WidgetApiClientId

client_credentials类型的请求应在token端点处处理,并且必须不需要id_token,因为流是非交互的。冗余参数破坏了流程。

答案 4 :(得分:0)

我在IdentityServer4 2.1.3中遇到此错误,但在IdentityServer4 2.3.2中却没有。从该项目的GitHub问题来看,它似乎已在2.3中修复:

https://github.com/IdentityServer/IdentityServer4/issues/2295#issuecomment-405164127