.net core 2.0 web api,使用openiddict进行设置,使用Implicit flow进行编码。我的身份和资源服务器位于不同的项目中。我有测试用例以确保授权用户获得访问权限,但有效的访问令牌用户被拒绝并获得401状态代码。使用内省端点时,资源和clientId相等。 Acesss_token有效,在http://calebb.net/上查看。不确定我错过了什么。
Auth服务器 public void ConfigureServices(IServiceCollection services) { services.AddMvc();
var connection = Configuration.GetConnectionString("DefaultConnection");
services.AddDbContext<IdentityDbContext>(options =>
{
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
options.UseOpenIddict();
});
services.AddOpenIddict(options =>
{
// Register the Entity Framework stores.
options.AddEntityFrameworkCoreStores<IdentityDbContext>();
options.AddMvcBinders();
// Enable the token endpoint.
options.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout")
.EnableIntrospectionEndpoint("/connect/introspect")
.EnableTokenEndpoint("/connect/token")
.EnableUserinfoEndpoint("/api/userinfo");
options.AllowImplicitFlow();
// Register a new ephemeral key, that is discarded when the application
// shuts down. Tokens signed using this key are automatically invalidated.
// This method should only be used during development.
options.AddEphemeralSigningKey();
//options.AddSigningCertificate(_cert);
options.UseJsonWebTokens();
// During development, you can disable the HTTPS requirement.
options.DisableHttpsRequirement();
});
services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection));
services.AddScoped<IUserRepository, UserRepository>();
services.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = OAuthValidationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = OAuthValidationDefaults.AuthenticationScheme;
})
.AddOAuthValidation();
services.AddAuthorization(options =>
{
options.AddPolicy("RequiredApplicationManagerRole", policy => policy.RequireRole("ApplicationManager"));
options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});
//services.AddDataProtection(opts =>
//{
// opts.ApplicationDiscriminator = "identity";
//});
}
资源服务器
private void ConfigureAuthService(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:49819/");
options.Audiences.Add("resource-server-1");
options.ClientId = "resource-server-1";
options.ClientSecret = "ClientSecret";
options.RequireHttpsMetadata = false;
// Note: you can override the default name and role claims:
// options.NameClaimType = "custom_name_claim";
//options.RoleClaimType = "Administrator";
});
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddTransient<IIdentityService, IdentityService>();
}