Framework 4.6.2 API不验证从IdentityServer4

时间:2018-04-11 07:48:22

标签: identityserver4 identityserver3

我一直在关注本文中的步骤,但我的IdentityServer是使用IdentityServer4构建的。 https://identityserver.github.io/Documentation/docsv2/overview/simplestOAuth.html

在IdentityServer上,我创建了2个ApiResource,1个用于CoreWebApi,1个用于Framework 4.6.2 WebApi。

new ApiResource {
            Name = "WebApi",
            DisplayName = "WebApi Api",
            Description = "WebApi API Access",
            UserClaims = new List<string> {"role"},
            ApiSecrets = new List<Secret> {new Secret("scopeSecret".Sha256())},
            Scopes = new List<Scope> {
                new Scope("WebApi.read"),
                new Scope("WebApi.write")
            }
        },
        new ApiResource {
            Name = "CoreApi",
            DisplayName = "CoreApi API",
            Description = "CoreApi API Access",
            UserClaims = new List<string> {"role"},
            ApiSecrets = new List<Secret> {new Secret("scopeSecret".Sha256())},
            Scopes = new List<Scope> {
                new Scope("CoreApi.read"),
                new Scope("CoreApi.write")
            }
        }

我的测试控制台的客户端生成访问令牌。

            new Client()
            {
                ClientId = "consoleApp",
                ClientName = "Example Client Credentials Client Application",
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                ClientSecrets = new List<Secret>()
                {
                    new Secret("superSecretPassword".Sha256())
                },
                AllowedScopes = new List<string>(){ "CoreApi.read", "WebApi.read" }
            }

我可以为CoreApi

申请令牌 
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("CoreApi.read");

然后毫无问题地调用我的CoreApi。

我也可以获得WebApi的代币

var tokenResponse = await tokenClient.RequestClientCredentialsAsync("WebApi.read");

但是使用令牌调用We​​bApi会返回“Unauthorized”?

CoreWebApi配置如下:

services.AddMvcCore()
        .AddAuthorization()
        .AddJsonFormatters();

        services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ApiName = "CoreApi";
            });

WebApi配置为:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:5000",
            ValidationMode = ValidationMode.ValidationEndpoint,
            RequiredScopes = new[] { "WebApi.read" }
        });

        // configure web api
        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();

        // require authentication for all controllers
        config.Filters.Add(new AuthorizeAttribute());

        app.UseWebApi(config);

我有什么明显的遗失吗?是否可以在IdentityServer4中生成访问令牌并使用IdentityServer3.AccessTokenValidation进行验证? 任何帮助表示赞赏。

1 个答案:

答案 0 :(得分:0)

仅供参考,我设法通过将配置更新为:

来使ValidationEndpoint正常工作 
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:5000",
            ValidationMode = ValidationMode.ValidationEndpoint,
            RequiredScopes = new[] { "WebApi.read" },
            ClientId = "WebApi",
            ClientSecret = "scopeSecret"
        });

在Git上查看一些代码之后,我发现如果指定了ClientId,它将使用 Introspection (/ connect / introspect)端点而不是没有&#的验证端点(connect / accesstokenvalidation) 39; t存在。

****注意令人困惑的是, ClientId ClientSecret 实际上是 API资源名称 ApiSecrets

相关问题
最新问题