我无法通过我的identityserver4 ui中的登录页面

时间:2018-04-19 15:55:08

标签: security .net-core xss identityserver4 filterattribute

我在IdentityServer4项目中使用.NET Core,在我的命令行中使用iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IdentityServer/IdentityServer4.Quickstart.UI/release/get.ps1'))添加了IdentityServer4 UI依赖项。

这成功添加了UI默认值,但是从UI登录时,我只被重定向回IdentityServer4的登录页面。我注意到默认添加了一些CSP过滤器属性([SecurityHeaders])。

当我从我的Grants控制器中删除此属性时,我正如我想象的那样进入Grants页面,现在我知道这可以防止跨站点脚本和嗅探。

我的问题是我如何在其中使用SecurityHeadersAttribute,因为仍然成功重定向到Grants控制器以成功登录。

使用的测试数据

public static class ApiRecourses
{
    public static IEnumerable<ApiResource> Get()
    {
        return new ApiResource[]
        {
            new ApiResource("testresource", "testresourcedisplayname")
        };
    }
}

public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new Client[]
        {
            new Client
            {
                ClientId = "testclient",
                ClientName = "testclientname",
                ClientSecrets = new Secret[]
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = new List<string>() {"testresource"},
                AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials
            }
        };
    }
}


    public static IEnumerable<TestUser> Get()
    {
        return new TestUser[]
        {
            new TestUser()
            {
                SubjectId = "1",
                Username = "a@b.c",
                Password = "password"
            }
        };
    }

ConfigureServices

    public void ConfigureServices(IServiceCollection services)
    {
        var pfxFilePath = Configuration.GetSection("Certificate:PfxFilePath");
        var pfxFilePassword = Configuration.GetSection("Certificate:Password");

        services.AddIdentityServer()
            .AddSigningCredential(new X509Certificate2(pfxFilePath.Value, pfxFilePassword.Value))
            .AddInMemoryClients(Clients.Get())
            .AddInMemoryApiResources(ApiRecourses.Get())
            .AddTestUsers(TestUsers.Get().ToList());

        services.AddMvc();
    }

配置

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole();

        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseIdentityServer();
        app.UseStaticFiles();
        app.UseMvcWithDefaultRoute();
    }

0 个答案:

没有答案