身份服务器4是否不允许隐式流访问API资源。
Identity Server 4 config.cs
new Client
{
ClientId = "implicit",
ClientName = "Implicit Client",
AllowAccessTokensViaBrowser = true,
RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },
FrontChannelLogoutUri = "http://localhost:5000/signout-idsrv", // for testing identityserver on localhost
AccessTokenLifetime = 10,
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "email", "ProxyServer", "api" }
}
Api资源
new ApiResource("api", "Custom"),
new ApiResource("ProxyServer", "Proxy Server")
在Mvc Client中我使用此代码ConfigureServices
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "mvcimplicit";
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = Constants.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "implicit";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("ProxyServer");
options.Scope.Add("profile");
options.Scope.Add("email");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
当我在浏览器中尝试时,我收到“抱歉,出现错误:invalid_scope”。但是,如果我删除 options.Scope.Add(“ProxyServer”); 它工作正常,身份服务器4将我带到登录页面。
答案 0 :(得分:0)
好的我发现了这个问题,但发布以防其他人遇到同样的问题。
需要明确指定响应类型,否则它将不起作用。
options.ResponseType = "id_token token";
相应地修改响应类型。