我将IdentityServer与AccessTokenType.Reference和一个API一起使用。 API无法使用以下错误日志验证所请求的用户:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.0 POST http://dev.applicationname.com/api/query text/plain 36
info: IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler[7]
BearerIdentityServerAuthenticationIntrospection was not authenticated. Failure message: Token is not active.
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[7]
Bearer was not authenticated. Failure message: Token is not active.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes ().
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action ApplicationName.Services.QueryHandler.Controllers.QueryController.PostAsync (ApplicationName.Services.QueryHandler) in 1.0248ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 49.0536ms 401
public void ConfigureServices(IServiceCollection services)
{
services
.AddMvcCore()
.AddAuthorization()
.AddJsonFormatters();
services
.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5000";
options.ApiName = "my_api_name";
options.ApiSecret = "my_api_secret";
});
}
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseNpgsql(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
// ...
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// ...
services.AddIdentityServer(options =>
{
options.IssuerUri = "http://localhost:5000";
options.PublicOrigin = "http://localhost:5000";
})
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>();
}
public static IEnumerable<ApiResource> GetApiResources()
{
yield return new ApiResource
{
Name = "my_api_name",
ApiSecrets = {new Secret("my_api_secret".Sha256())},
Scopes = {new Scope {Name = $"my_api_name.full_access"}},
UserClaims =
{
JwtClaimTypes.Name,
JwtClaimTypes.Email,
"tenant_id"
}
};
}
public static IEnumerable<Client> GetClients(string baseUrl)
{
yield return new List<Client>
{
new Client
{
ClientId = "frontend",
ClientName = "AngularClient",
AccessTokenType = AccessTokenType.Reference,
AllowAccessTokensViaBrowser = true,
AllowedGrantTypes = GrantTypes.Implicit,
AllowOfflineAccess = true,
AlwaysIncludeUserClaimsInIdToken = true,
RequireConsent = false,
RequireClientSecret = false,
RedirectUris =
{
"http://localhost:4200/signin-oidc"
},
PostLogoutRedirectUris =
{
"http://localhost:4200/signout-callback-oidc"
},
AllowedCorsOrigins =
{
"http://localhost:4200"
},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"tenant_id",
"my_api_name.full_access"
}
}
};
}
在IdentityServer中,我收到以下错误日志:
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.IntrospectionEndpoint for /connect/introspect
[15:17:44 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.IntrospectionEndpoint for /connect/introspect
fail: IdentityServer4.Validation.TokenValidator[0]
Invalid reference token.
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "2a29182593d7eb69e9845e3d94b16f3056bc27da6cb6d6ae760733b3141dacdb"
}
[15:17:44 Error] IdentityServer4.Validation.TokenValidator
Invalid reference token.
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "2a29182593d7eb69e9845e3d94b16f3056bc27da6cb6d6ae760733b3141dacdb"
}
info: IdentityServer4.Endpoints.IntrospectionEndpoint[0]
Success token introspection. Token active: False, for API name: my_api_name
[15:17:44 Information] IdentityServer4.Endpoints.IntrospectionEndpoint
Success token introspection. Token active: False, for API name: my_api_name
我认为存在配置错误但无法看到它。
答案 0 :(得分:0)
我认为您必须添加对资源的客户端访问权限,否则IdentityServer将继续拒绝参考令牌验证。 apiResource必须在客户端允许的范围内,这有点令人困惑,恕我直言。
public static IEnumerable<Client> GetClients(string baseUrl)
{
yield return new List<Client>
{
new Client
{
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"tenant_id",
"my_api_name", // add this
"my_api_name.full_access"
}
}
};
}