Question

我已经使用.net core 2.1应用程序实现了Aspnet.security.openidconnect.server。现在，我要测试我的授权，为此，我正在提出邮递员要求。如果我将授予类型更改为client_credentials，则可以使用，但是我想测试完整流程，因此我将授予类型选择为Authorzation代码，它开始显示错误“无法完成oAuth2.0登录。

代码如下：

    services.AddAuthentication(OAuthValidationDefaults.AuthenticationScheme).AddOAuthValidation()
            .AddOpenIdConnectServer(options =>
            {
                options.AuthorizationEndpointPath = new PathString(AuthorizePath);
                // Enable the token endpoint.
                options.TokenEndpointPath = new PathString(TokenPath);
                options.ApplicationCanDisplayErrors = true;
                options.AccessTokenLifetime = TimeSpan.FromMinutes(5);
#if DEBUG
                 options.AllowInsecureHttp = true;
#endif
                options.Provider.OnValidateAuthorizationRequest = context =>
                {
                    if (string.Equals(context.ClientId, Configuration["OpenIdServer:ClientId"], StringComparison.Ordinal))
                    {
                        context.Validate(context.RedirectUri);
                    }
                    return Task.CompletedTask;
                };
                // Implement OnValidateTokenRequest to support flows using the token endpoint.
                options.Provider.OnValidateTokenRequest = context =>
                {
                // Reject token requests that don't use grant_type=password or grant_type=refresh_token.
                if (!context.Request.IsClientCredentialsGrantType() && !context.Request.IsPasswordGrantType()
                    && !context.Request.IsRefreshTokenGrantType())
                    {
                        context.Reject(
                       error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
                       description: "Only grant_type=password and refresh_token " +
                                    "requests are accepted by this server.");

                        return Task.CompletedTask;
                    }

                    if (string.IsNullOrEmpty(context.ClientId))
                    {
                        context.Skip();

                        return Task.CompletedTask;
                    }

                    if (string.Equals(context.ClientId, Configuration["OpenIdServer:ClientId"], StringComparison.Ordinal) &&
                        string.Equals(context.ClientSecret, Configuration["OpenIdServer:ClientSecret"], StringComparison.Ordinal))
                    {
                        context.Validate();
                    }

                    return Task.CompletedTask;
                };

                // Implement OnHandleTokenRequest to support token requests.
                options.Provider.OnHandleTokenRequest = context =>
                {
                 // Only handle grant_type=password token requests and let
                 // the OpenID Connect server handle the other grant types.
                 if (context.Request.IsClientCredentialsGrantType() || context.Request.IsPasswordGrantType())
                    {
                     //var identity = new ClaimsIdentity(context.Scheme.Name,
                     //    OpenIdConnectConstants.Claims.Name,
                     //    OpenIdConnectConstants.Claims.Role);
                     ClaimsIdentity identity = null;
                        if (context.Request.IsClientCredentialsGrantType())
                        {
                            identity = new ClaimsIdentity(new GenericIdentity(context.Request.ClientId, "Bearer"), context.Request.GetScopes().Select(x => new Claim("urn:oauth:scope", x)));
                        }
                        else if (context.Request.IsPasswordGrantType())
                        {
                            identity = new ClaimsIdentity(new GenericIdentity(context.Request.Username, "Bearer"), context.Request.GetScopes().Select(x => new Claim("urn:oauth:scope", x)));
                        }
                     // Add the mandatory subject/user identifier claim.
                     identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString("n") + Guid.NewGuid().ToString("n"));

                     // By default, claims are not serialized in the access/identity tokens.
                     // Use the overload taking a "destinations" parameter to make sure
                     // your claims are correctly inserted in the appropriate tokens.
                     identity.AddClaim("urn:customclaim", "value",
                     OpenIdConnectConstants.Destinations.AccessToken,
                     OpenIdConnectConstants.Destinations.IdentityToken);

                        var ticket = new Microsoft.AspNetCore.Authentication.AuthenticationTicket(
                         new ClaimsPrincipal(identity),
                         new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
                         context.Scheme.Name);

                     // Call SetScopes with the list of scopes you want to grant
                     // (specify offline_access to issue a refresh token).
                     ticket.SetScopes(
                         OpenIdConnectConstants.Scopes.Profile,
                         OpenIdConnectConstants.Scopes.OfflineAccess);

                        context.Validate(ticket);
                    }

                    return Task.CompletedTask;
                };

这是邮递员收藏：

现在我不确定这个问题是在我的代码中还是邮递员收藏中？我认为回调网址会造成一些问题，但我不确定。有帮助吗？

更新：

通过访问此页面https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-implementing-the-authorization-code-and-implicit-flows/，我发现了问题。我没有在代码中处理授权代码流，但我什至不想。有什么方法可以使用资源所有者密码测试代码？我在申请表中看不到这种资助类型。简单来说，我想让邮递员打开Controller / Login / Index中的登录屏幕，然后选择ssl证书，它会为我生成一个令牌吗？

Answer 1

您好，我认为您必须在服务器配置中添加https://www.getpostman.com/oauth2/callback作为redirect_url，我认为您的STS服务器不会将令牌返回到不可信的URL。这就是为什么它可以在您的应用程序上运行，而在Postman上无法运行

无法完成oAuth2.0登录

1 个答案: