角度客户端 - 访问令牌失败认证
我有一个Angular Client,我可以使用用户名和密码登录Identity Server(隐式)。请参见下面的屏幕截图:
登录后,我收到以下信息:
当我点击API按钮时,执行以下代码:
下面的答案(感谢m3n7alsnak3 - 见下面的评论):
API Startup类:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Constants;
using Microsoft.AspNetCore.Authentication.JwtBearer;
namespace Api
{
public class Startup
{
#region "Startup"
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
#endregion
#region "ConfigureServices"
public void ConfigureServices(IServiceCollection services)
{
services.AddMvcCore()
.AddAuthorization(options =>
{
options.AddPolicy("JsClient", config =>
{
config.RequireClaim("client_id", "js");
});
})
.AddJsonFormatters();
#region "services.AddAuthentication"
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = Constants.Constant.AuthServer;
options.RequireHttpsMetadata = false;
});
#endregion
#region "Commented out services.AddCors"
services.AddCors(options =>
{
options.AddPolicy("default", policy =>
{
policy.WithOrigins("http://localhost:5003")
.AllowAnyHeader()
.AllowAnyMethod();
});
});
#endregion
}
#endregion
#region "Configure"
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseCors("default");
app.UseAuthentication();
app.UseMvc();
}
#endregion
}
}
IDS启动代码:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using AuthServer.Data;
using AuthServer.Models;
using AuthServer.Services;
using System.Reflection;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Extensions.Logging;
using Constants;
namespace AuthServer
{
public class Startup
{
#region "Startup"
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
#endregion
#region "ConfigureServices"
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// Add application services.
services.AddTransient<IEmailSender, EmailSender>();
services.AddMvc();
string connectionString = Configuration.GetConnectionString("DefaultConnection");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddAspNetIdentity<ApplicationUser>()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
//options.EnableTokenCleanup = true;
//options.TokenCleanupInterval = 15; // interval in seconds. 15 seconds useful for debugging
});
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.ClientId = "434483408261-55tc8n0cs4ff1fe21ea8df2o443v2iuc.apps.googleusercontent.com";
options.ClientSecret = "3gcoTrEDPPJ0ukn_aYYT6PWo";
});
}
#endregion
#region "Configure"
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
// app.UseAuthentication(); // not needed, since UseIdentityServer adds the authentication middleware
app.UseIdentityServer();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
#endregion
}
}
API日志:
Hosting environment: Development
Content root path: C:\Users\Paul\Documents\Visual Studio 2017\Projects\AuthServer\Api
Now listening on: http://localhost:5001
Application started. Press Ctrl+C to shut down.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 OPTIONS http://localhost:5001/identity
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 84.7188ms 204
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5001/identity
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
[13:39:14 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
Successfully validated the token.
[13:39:14 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
AuthenticationScheme: BearerIdentityServerAuthenticationJwt was successfully authenticated.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[8]
AuthenticationScheme: BearerIdentityServerAuthenticationJwt was successfully authenticated.
[13:39:14 Information] IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
AuthenticationScheme: Bearer was successfully authenticated.
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[8]
AuthenticationScheme: Bearer was successfully authenticated.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1]
Authorization was successful for user: prdiet.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method Api.Controllers.IdentityController.Get (Api) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Mvc.Formatters.Json.Internal.JsonResultExecutor[1]
Executing JsonResult, writing value System.Linq.Enumerable+SelectEnumerableIterator`2[System.Security.Claims.Claim,<>f__AnonymousType0`2[System.String,System.String]].
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action Api.Controllers.IdentityController.Get (Api) in 224.2595ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 2045.1953ms 200 application/json; charset=utf-8
IDS日志:
2018-02-09 13:37:41.253 -05:00 [DBG] Using Identity.Application as default scheme for authentication
2018-02-09 13:37:41.338 -05:00 [DBG] Using Identity.External as default scheme for sign-in
2018-02-09 13:37:41.342 -05:00 [DBG] Using Identity.External as default scheme for sign-out
2018-02-09 13:37:41.346 -05:00 [DBG] Using Identity.Application as default scheme for challenge
2018-02-09 13:37:41.349 -05:00 [DBG] Using Identity.Application as default scheme for forbid
2018-02-09 13:38:20.503 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:38:21.589 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:38:21.604 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:38:21.729 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:38:21.778 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:38:21.785 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:38:21.801 -05:00 [DBG] Start discovery request
2018-02-09 13:38:23.306 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:38:23.535 -05:00 [DBG] Request path /connect/authorize matched to endpoint type Authorize
2018-02-09 13:38:23.635 -05:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
2018-02-09 13:38:23.640 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
2018-02-09 13:38:23.658 -05:00 [DBG] Start authorize request
2018-02-09 13:38:23.687 -05:00 [DBG] No user present in authorize request
2018-02-09 13:38:23.714 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:24.970 -05:00 [DBG] js found in database: true
2018-02-09 13:38:25.192 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:25.629 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:25.797 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:26.099 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:26.136 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:38:26.200 -05:00 [INF] ValidatedAuthorizeRequest
{
"ClientId": "js",
"ClientName": "js.client",
"RedirectUri": "http://localhost:5003/callback.html",
"AllowedRedirectUris": [
"http://localhost:5003/callback.html"
],
"SubjectId": "anonymous",
"ResponseType": "id_token token",
"ResponseMode": "fragment",
"GrantType": "implicit",
"RequestedScopes": "openid profile api1",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Nonce": "d5a791d91e664b28a021b589307cc6a9",
"Raw": {
"client_id": "js",
"redirect_uri": "http://localhost:5003/callback.html",
"response_type": "id_token token",
"scope": "openid profile api1",
"state": "2e1163f138514b2ab6d9b3da5cca4a03",
"nonce": "d5a791d91e664b28a021b589307cc6a9"
}
}
2018-02-09 13:38:26.232 -05:00 [INF] Showing login: User is not authenticated
2018-02-09 13:38:26.881 -05:00 [INF] AuthenticationScheme: Identity.External signed out.
2018-02-09 13:38:26.913 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:27.728 -05:00 [DBG] js found in database: true
2018-02-09 13:38:27.883 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:28.250 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:28.408 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:28.788 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:28.796 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:38:57.996 -05:00 [DBG] Augmenting SignInContext
2018-02-09 13:38:58.004 -05:00 [DBG] Adding idp claim with value: local
2018-02-09 13:38:58.008 -05:00 [DBG] Adding amr claim with value: pwd
2018-02-09 13:38:58.016 -05:00 [DBG] Adding auth_time claim with value: 1518201538
2018-02-09 13:38:58.040 -05:00 [INF] AuthenticationScheme: Identity.Application signed in.
2018-02-09 13:38:58.049 -05:00 [INF] User logged in.
2018-02-09 13:38:58.109 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:38:58.119 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:38:58.129 -05:00 [DBG] Request path /connect/authorize/callback matched to endpoint type Authorize
2018-02-09 13:38:58.136 -05:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
2018-02-09 13:38:58.143 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
2018-02-09 13:38:58.163 -05:00 [DBG] Start authorize callback request
2018-02-09 13:38:58.179 -05:00 [DBG] User in authorize request: 8ae24a28-59f5-48a6-92c6-c6cac551341b
2018-02-09 13:38:58.184 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:59.378 -05:00 [DBG] js found in database: true
2018-02-09 13:38:59.598 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:00.165 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:39:00.406 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:01.020 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:39:01.032 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:39:01.037 -05:00 [INF] ValidatedAuthorizeRequest
{
"ClientId": "js",
"ClientName": "js.client",
"RedirectUri": "http://localhost:5003/callback.html",
"AllowedRedirectUris": [
"http://localhost:5003/callback.html"
],
"SubjectId": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"ResponseType": "id_token token",
"ResponseMode": "fragment",
"GrantType": "implicit",
"RequestedScopes": "openid profile api1",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Nonce": "d5a791d91e664b28a021b589307cc6a9",
"SessionId": "f80b09fa34fe67f90117912fb01ee854",
"Raw": {
"client_id": "js",
"redirect_uri": "http://localhost:5003/callback.html",
"response_type": "id_token token",
"scope": "openid profile api1",
"state": "2e1163f138514b2ab6d9b3da5cca4a03",
"nonce": "d5a791d91e664b28a021b589307cc6a9"
}
}
2018-02-09 13:39:01.263 -05:00 [DBG] Client is configured to not require consent, no consent is required
2018-02-09 13:39:01.284 -05:00 [DBG] Creating Implicit Flow response.
2018-02-09 13:39:01.311 -05:00 [DBG] Getting claims for access token for client: js
2018-02-09 13:39:01.317 -05:00 [DBG] Getting claims for access token for subject: 8ae24a28-59f5-48a6-92c6-c6cac551341b
2018-02-09 13:39:01.722 -05:00 [DBG] Getting claims for identity token for subject: 8ae24a28-59f5-48a6-92c6-c6cac551341b and client: js
2018-02-09 13:39:01.729 -05:00 [DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
2018-02-09 13:39:01.775 -05:00 [INF] Authorize endpoint response
{
"SubjectId": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"ClientId": "js",
"RedirectUri": "http://localhost:5003/callback.html",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Scope": "openid profile api1"
}
2018-02-09 13:39:01.824 -05:00 [DBG] Augmenting SignInContext
2018-02-09 13:39:01.829 -05:00 [INF] AuthenticationScheme: Identity.Application signed in.
2018-02-09 13:39:02.256 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:39:02.334 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:02.340 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:02.362 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:02.372 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:02.392 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:02.416 -05:00 [DBG] Start discovery request
2018-02-09 13:39:02.852 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:02.879 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration/jwks from origin: http://localhost:5003
2018-02-09 13:39:02.934 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:02.940 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:02.950 -05:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2018-02-09 13:39:02.957 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2018-02-09 13:39:02.962 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2018-02-09 13:39:02.980 -05:00 [DBG] Start key discovery request
2018-02-09 13:39:03.093 -05:00 [DBG] CORS request made for path: /connect/userinfo from origin: http://localhost:5003
2018-02-09 13:39:03.148 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:03.154 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:03.192 -05:00 [DBG] CORS request made for path: /connect/userinfo from origin: http://localhost:5003
2018-02-09 13:39:03.250 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:03.257 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:03.273 -05:00 [DBG] Request path /connect/userinfo matched to endpoint type Userinfo
2018-02-09 13:39:03.289 -05:00 [DBG] Endpoint enabled: Userinfo, successfully created handler: IdentityServer4.Endpoints.UserInfoEndpoint
2018-02-09 13:39:03.296 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
2018-02-09 13:39:03.318 -05:00 [DBG] Start userinfo request
2018-02-09 13:39:03.330 -05:00 [DBG] Bearer token found in header
2018-02-09 13:39:04.059 -05:00 [DBG] js found in database: true
2018-02-09 13:39:04.621 -05:00 [DBG] js found in database: true
2018-02-09 13:39:04.702 -05:00 [DBG] Calling into custom token validator: IdentityServer4.Validation.DefaultCustomTokenValidator
2018-02-09 13:39:04.722 -05:00 [DBG] Token validation success
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1518201541,
"exp": 1518205141,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"api1"
],
"client_id": "js",
"sub": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"auth_time": 1518201538,
"idp": "local",
"name": "prdiet",
"email": "Paul.Dietz@roush.com",
"scope": [
"openid",
"profile",
"api1"
],
"amr": "pwd"
}
}
2018-02-09 13:39:04.745 -05:00 [DBG] Creating userinfo response
2018-02-09 13:39:04.761 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:04.773 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:04.896 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:04.905 -05:00 [DBG] Requested claim types: sub zoneinfo birthdate gender website picture profile locale preferred_username middle_name given_name family_name name nickname updated_at
2018-02-09 13:39:04.911 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:05.006 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:05.139 -05:00 [INF] Profile service returned to the following claim types: sub preferred_username name
2018-02-09 13:39:05.149 -05:00 [DBG] End userinfo request
2018-02-09 13:39:05.200 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:05.217 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:05.228 -05:00 [DBG] Request path /connect/checksession matched to endpoint type Checksession
2018-02-09 13:39:05.237 -05:00 [DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
2018-02-09 13:39:05.244 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
2018-02-09 13:39:05.255 -05:00 [DBG] Rendering check session result
2018-02-09 13:39:05.538 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:39:05.608 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:05.613 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:05.624 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:05.632 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:05.637 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:05.646 -05:00 [DBG] Start discovery request
2018-02-09 13:39:06.042 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:06.082 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:06.092 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:06.102 -05:00 [DBG] Request path /connect/checksession matched to endpoint type Checksession
2018-02-09 13:39:06.108 -05:00 [DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
2018-02-09 13:39:06.114 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
2018-02-09 13:39:06.125 -05:00 [DBG] Rendering check session result
2018-02-09 13:39:13.278 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:13.284 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:13.290 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:13.298 -05:00 [DBG] Start discovery request
2018-02-09 13:39:13.703 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:14.217 -05:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2018-02-09 13:39:14.223 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2018-02-09 13:39:14.229 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2018-02-09 13:39:14.238 -05:00 [DBG] Start key discovery request
小提琴测试结果:
最后API响应:
1 个答案:
答案 0 :(得分:1)
您提到的两行
.AddJwtBearer to services.AddAuthentication()
Services.AddAuthorization
应该是您的API Startup.cs的一部分,而不是Identity Server的一部分。
此外,该政策应再次在API中指定,而不是在IDS中指定。
为什么?通过使用services.AddAuthentication()(无论何种类型,在您的情况下是JWTBearer),您说:
嘿,这些资源受到保护,请对
authority进行身份验证,以便能够访问它。
然后是授权部分,这也是您的API的责任,而不是IDS&#39;。您指定的策略是API特定的,这意味着:
嘿,你是针对那个权威进行身份验证的,但我还有更多要求/规则让你进入。
在那里你指定规则。您可以将基于策略的授权视为高级的基于角色或更像自定义授权属性,但重要的部分 - 它是API的责任。
从那里开始,看看会发生什么。
修改
根据我们的讨论,我更新了答案。现在尝试将API启动切换为以下内容:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services
.AddMvcCore()
.AddAuthorization(options =>
{
// your policies
})
// more code
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = <ids address>;
options.RequireHttpsMetadata = false;
});
// more code
保留周围的东西。并且要小心 - 在测试场景2中,您有2次services.AddAuthorization()。只做一次(如上所示)。试一试。
编辑2
在services.AddAuthentication("Bearer")中 - 持票人有资本(大写)B!
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?