我在客户端凭据流的访问令牌请求中收到invalid_scope错误。错误日志指出"无法在客户端凭据流中请求OpenID范围"。我没有要求开放id范围。我不知道它来自哪里。我需要使用客户端凭据流生成访问令牌。
问题/重现问题的步骤
API资源定义。
public IEnumerable GetApiResources()
{
return new List {
new ApiResource
{
Name = "WidgetApi",
DisplayName = "Widget Management API",
Description = "Widget Management API Resource Access",
ApiSecrets = new List { new Secret("scopeSecret".Sha256()) },
Scopes = new List {
new Scope("WidgetApi.Read"),
new Scope("WidgetApi.Write")
}
}
};
}
客户定义;
return new List
{
new Client
{
ClientId = "WidgetApi Client Id",
ClientName = "WidgetApi Client credential",
RequireConsent = false,
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret( clientSecret.Sha256())
},
// scopes that client has access to
AllowedScopes = { "WidgetApi.Read", "WidgetApi.Write"},
AccessTokenLifetime = 3600
};
}
使用邮递员访问令牌请求正文(键 - 值)
grant_type client_credentials
response_type id_token
scope WidgetApi.Read WidgetApi.Write
client_secret xxxxxxxxxxxxxxxxxxxxxx
client_id WidgetApiClientId
日志文件的相关部分
dbug: Microsoft.EntityFrameworkCore.Storage.Internal.SqlServerConnection[4]
Closing connection to database 'IdentityServer4Db' on server 'localhost\SQLEXPRESS'.
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found PssUserMgtApi.Read, PssUserMgtApi.Write API scopes in database
fail: IdentityServer4.Validation.TokenRequestValidator[0]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cannot request OpenID scopes in client credentials flow
fail: IdentityServer4.Validation.TokenRequestValidator[0]
{
"ClientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"ClientName": "xxxxxxxxxxxxxxxxxxxxxxxxx",
"GrantType": "client_credentials",
"Scopes": "xxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
"Raw": {
"grant_type": "client_credentials",
"response_type": "id_token",
"scope": "xxxxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
"client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 5292.2873ms 400 application/json
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HL51IVGKG792" completed keep alive response.
答案 0 :(得分:0)
检查您的客户凭据详细信息是否正确。您还可以找到此简单的分步说明,以使用此link
配置客户端证书流答案 1 :(得分:0)
如果遇到此问题,只需在ClientScopes的数据库中删除给定客户端的“ openid”作用域。
答案 2 :(得分:0)
由于在客户端凭据流中没有标记用户,因此通常情况下,客户端凭据并不打算为其添加范围,并且许多框架都不支持它。
https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/说:
范围(可选): 您的服务可以支持客户端凭据授予的不同范围。 实际上,实际上没有多少服务支持此功能。
答案 3 :(得分:0)
实际上问题已经包含答案:
grant_type client_credentials
response_type id_token
作用域WidgetApi.Read WidgetApi.Write
client_secret xxxxxxxxxxxxxxxxxxxxxx
client_id WidgetApiClientId
client_credentials
类型的请求应在token
端点处处理,并且必须不需要id_token
,因为流是非交互的。冗余参数破坏了流程。
答案 4 :(得分:0)
我在IdentityServer4 2.1.3中遇到此错误,但在IdentityServer4 2.3.2中却没有。从该项目的GitHub问题来看,它似乎已在2.3中修复:
https://github.com/IdentityServer/IdentityServer4/issues/2295#issuecomment-405164127