我们有一个网站和一个公共API,两者都被定义为Identity Server中的客户端:
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
// resource owner password grant client
new Client
{
ClientId = "API_RO",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "WEB_API" },
IncludeJwtId = true,
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true
},
// OpenID Connect implicit flow client (MVC)
new Client
{
ClientId = "PUBLIC_SPA_APPLICATION",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"WEB_API",
},
IncludeJwtId = true,
AlwaysIncludeUserClaimsInIdToken = true,
}
}
}
在Web服务中,我们将根据发送的令牌进行身份验证
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IServiceDiscovery serviceDiscovery)
{
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = $"{serviceInformation.Prefix}{serviceInformation.IpAddress}:{serviceInformation.Port}",
RequireHttpsMetadata = false,
ApiName = "PUBLIC_SPA_APPLICATION", //"API_RO",<= PROBLEM HERE
SaveToken = false
});
}
我遇到的问题是ApiName参数只允许设置一个客户端。我需要找到一种方法让它适用于通过网站访问的客户和通过API访问的客户。
目前我收到以下错误:
Bearer未经过身份验证。失败消息:IDX10214:受众 验证失败。观众:&#39; PUBLIC_SPA_APPLICATION&#39;。不匹配: validationParameters.ValidAudience:&#39; API_RO&#39;要么 validationParameters.ValidAudiences:&#39; null&#39;。