我有3个项目1- SPA,2- Web API项目,3-身份(使用openiddict进行设置,使用EF Core进行ASP.NET Core 2.0(OpenIddict.dll版本2.0.0.-rc2-0854)。
API和Identity Server成功运行,可以获取jwt令牌但是,当我尝试从具有授权属性的API方法获取值时,我收到错误:
WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid."
在Application Insights中,可以看到调用POST / connect / introspect,结果依赖关系结果代码:500和依赖关系代码:Http
之前相同的代码工作,不确定哪些更改会破坏内省。
API项目中的配置
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:49888");
options.ClientId = "my-resource-server";
options.ClientSecret = "ClientSecret";
options.RequireHttpsMetadata = false;
});
services.AddCors();
services.AddMvc()
.AddJsonOptions(options =>
{
options.SerializerSettings.Formatting = Formatting.None;
});
授权方法
[HttpGet("GetData/{Id}")]
[Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
[Authorize(Roles = "Admin")]
public IActionResult GetData(int courseId)
{
}
身份项目中的连接/内省
private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
{
UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);
if (userInfo == null)
{
return null;
}
// Create a new ClaimsIdentity holding the user identity.
var identity = new ClaimsIdentity(
OpenIdConnectServerDefaults.AuthenticationScheme,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role
);
// Add a "sub" claim containing the user identifier, and attach
// the "access_token" destination to allow OpenIddict to store it
// in the access token, so it can be retrieved from your controllers.
identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
user.UserId.ToString(),
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
OpenIdConnectConstants.Destinations.AccessToken);
identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
OpenIdConnectConstants.Destinations.AccessToken);
// ... add other claims, if necessary.
var principal = new ClaimsPrincipal(identity);
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(principal,
new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
。
答案 0 :(得分:1)
从RC2开始,OpenIddict可以正式用于第三方应用程序(即您不拥有的客户端)。因此,我们不能再认为所有注册的申请都是合法的,并且可以自由地反省代币。
为了使事情明确,您现在必须指定能够内省令牌的客户端标识符列表。为此,在创建故障单时添加以下代码:
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources("tracking_api", "marketing_api");
资源必须与使用内省处理程序分配给资源服务器的client_id完全匹配:
services.AddAuthentication()
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:12345/");
options.ClientId = "marketing_api";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.RequireHttpsMetadata = false;
});