当api尝试验证参考令牌时出错。我们的身份服务器将仅提供参考令牌。为什么需要签名证书。错误与键集有关。
System.InvalidOperationException: Policy error while contacting the discovery endpoint https://****.net/.well-known/openid-configuration: Keyset is missing
at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.GetIntrospectionEndpointFromDiscoveryDocument(OAuth2IntrospectionOptions Options)
at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.InitializeIntrospectionClient(OAuth2IntrospectionOptions Options)
at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.LoadClaimsForToken(String token)
at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)
at Ips.Middleware.SerilogMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
答案 0 :(得分:0)
似乎正在验证发现文档以确保其格式正确。您可以通过覆盖策略来禁用此验证,但是由于无论如何您都需要id_tokens的签名密钥,因此最好设置签名和验证凭据。
答案 1 :(得分:0)
您可以通过在IdentityServer中设置IdentityServerOptions来停止从DiscoveryEndpoint返回的密钥信息:
options.Discovery.ShowKeySet = false;
查看PostConfigureOAuth2IntrospectionOptions.InitializeIntrospectionClient的实现:
private async Task<IntrospectionClient> InitializeIntrospectionClient(OAuth2IntrospectionOptions Options)
{
string endpoint;
if (Options.IntrospectionEndpoint.IsPresent())
{
endpoint = Options.IntrospectionEndpoint;
}
else
{
endpoint = await GetIntrospectionEndpointFromDiscoveryDocument(Options).ConfigureAwait(false);
Options.IntrospectionEndpoint = endpoint;
}
IntrospectionClient client;
if (Options.IntrospectionHttpHandler != null)
{
client = new IntrospectionClient(
endpoint,
headerStyle: Options.BasicAuthenticationHeaderStyle,
innerHttpMessageHandler: Options.IntrospectionHttpHandler);
}
else
{
client = new IntrospectionClient(endpoint);
}
client.Timeout = Options.DiscoveryTimeout;
return client;
}
通过在GetIntrospectionEndpointFromDiscoveryDocument上设置IntrospectionEndpoint属性,可以避免调用OAuth2IntrospectionOptions
答案 2 :(得分:0)
找到了解决方案。您无需更改身份。更改是针对api。
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(
IdentityServerAuthenticationDefaults.AuthenticationScheme,
//Null if you do not want to support jwt bearer tokens
null,
options =>
{
options.Authority = "https://yourIdentityServer.com";
//This is the key
options.DiscoveryPolicy.RequireKeySet = false;
options.ClientId = "xxxx";
options.ClientSecret = "xxxx";
});