使用.Net Core 2.1和Identity Server 4
我正在使用Identity Server 4对MVC应用程序上的登录进行身份验证。该过程有效,直到我登录后,我才能进入标记为[Authorize]的页面。它将我重定向到IS4服务器以登录,一旦登录,我便被重定向回我的MVC应用并能够查看受保护的页面。
但是,向前迈进,我还想与此客户端一起调用API并遇到问题。
我认为问题的根源在于我无法访问我的access_token或id_token。当我调用它们时,它们总是返回null。
我在Razor页面中使用以下代码,并且每个令牌始终返回null。
@using Microsoft.AspNetCore.Authentication
@{
var claims = User.Claims;
var idt = await ViewContext.HttpContext.GetTokenAsync("id_token");
var at = await ViewContext.HttpContext.GetTokenAsync("access_token");
var rt = await ViewContext.HttpContext.GetTokenAsync("refresh_token");
}
<dt>id_token</dt>
<dd>@idt</dd>
<dt>access token</dt>
<dd>@at</dd>
<dt>refresh token</dt>
<dd>@rt</dd>
我的MVC启动看起来像这样
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<IdentityContext>()
.AddDefaultTokenProviders();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.Scope.Add("openid");
options.Scope.Add("email");
});
我的IS4启动看起来像这样
services.AddIdentityServer()
.AddAspNetIdentity<ApplicationUser>()
.AddConfigurationStore(configDb =>
{
configDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4ConfigurationContext"),
sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
})
.AddOperationalStore(operationDb =>
{
operationDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4PersistedGrantContext"),
sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
})
.AddSigningCredential("CN=localhost");
我对IS4如何登录和正常工作感到困惑。查看日志,一切都是在发出令牌并在所有请求上对令牌进行身份验证。
这里是一些生成的日志
[13:05:20 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
[13:05:20 VRB] Processing token request.
[13:05:20 DBG] Start token request.
[13:05:20 DBG] Start client validation
[13:05:20 DBG] Start parsing Basic Authentication secret
[13:05:20 DBG] Start parsing for secret in post body
[13:05:20 DBG] Connection id "0HLIABES76N39", Request id "0HLIABES76N39:00000003": started reading request body.
[13:05:20 DBG] Connection id "0HLIABES76N39", Request id "0HLIABES76N39:00000003": done reading request body.
[13:05:20 DBG] Parser found secret: PostBodySecretParser
[13:05:20 DBG] Secret id found: mvc
[13:05:20 DBG] mvc found in database: True
[13:05:20 DBG] Secret validator success: HashedSharedSecretValidator
[13:05:20 DBG] Client validation success
[13:05:20 VRB] Calling into token request validator: IdentityServer4.Validation.TokenRequestValidator
[13:05:21 DBG] Start token request validation
[13:05:21 DBG] Start validation of authorization code token request
[13:05:21 DBG] F5F9HpNIqo4A+pLlz3KUHAOT3suUMARiwjA+AiMiYKQ= found in database: True
[13:05:21 DBG] removing F5F9HpNIqo4A+pLlz3KUHAOT3suUMARiwjA+AiMiYKQ= persisted grant from database
[13:05:21 DBG] Validation of authorization code token request success
[13:05:21 VRB] Calling into custom request validator: IdentityServer4.Validation.DefaultCustomTokenRequestValidator
[13:05:21 INF] Token request validation success
{
"ClientId": "mvc",
"ClientName": "MVC Client",
"GrantType": "authorization_code",
"AuthorizationCode": "4f5aae4aa4569dbe537ba5146f5f6dc2e7854308481844804b646cb9ecaec26c",
"Raw": {
"client_id": "mvc",
"client_secret": "***REDACTED***",
"code": "4f5aae4aa4569dbe537ba5146f5f6dc2e7854308481844804b646cb9ecaec26c",
"grant_type": "authorization_code",
"redirect_uri": "http://localhost:61000/signin-oidc"
}
}
[13:05:21 VRB] Calling into token request response generator: IdentityServer4.ResponseHandling.TokenResponseGenerator
[13:05:21 VRB] Creating response for authorization code request
[13:05:21 DBG] mvc found in database: True
[13:05:21 DBG] Found ["openid", "profile", "email"] identity scopes in database
[13:05:21 DBG] Found ["api1"] API scopes in database
[13:05:21 VRB] Creating access token
[13:05:21 DBG] Getting claims for access token for client: mvc
[13:05:21 DBG] Getting claims for access token for subject: 081d6afc-b10d-4a61-ab09-fdaf8a614129
[13:05:21 VRB] Creating JWT access token
[13:05:21 DBG] Creating refresh token
[13:05:21 DBG] Setting an absolute lifetime: 2592000
[13:05:21 DBG] pHf7GHw+2sCYm+0gR8FRGOgxyXQIxC37sqp58NZeSiw= not found in database
[13:05:21 DBG] mvc found in database: True
[13:05:21 DBG] Found ["openid", "profile", "email"] identity scopes in database
[13:05:21 DBG] Found ["api1"] API scopes in database
[13:05:21 VRB] Creating identity token
[13:05:21 DBG] Getting claims for identity token for subject: 081d6afc-b10d-4a61-ab09-fdaf8a614129 and client: mvc
[13:05:21 DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
[13:05:21 VRB] Creating JWT identity token
[13:05:21 VRB] Identity token issued for mvc (MVC Client) / no subject: eyJhbGciOiJSUzI1NiIsImtpZCI6IkVDN0UyNjgyOTk4QkZDQjVFRTk3MUJDNzVGMTQxQkNGNTZEMjQyNDAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI3SDRtZ3BtTF9MWHVseHZIWHhRYnoxYlNRa0EifQ.eyJuYmYiOjE1NDIyMTg3MjEsImV4cCI6MTU0MjIxOTAyMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoibXZjIiwibm9uY2UiOiI2MzY3NzgxNTUxMjg2NTg2MjYuWWpjMk1XSTVNREV0WVdVeE5pMDBPVGM0TFRsbE5UTXRaR05oTXpCa01USXlNbUl4TkRVd1kyUTVNMk10WkRFNFlpMDBNVGN4TFRrek9USXRNV0V6WWpReFptWmxNVFZrIiwiaWF0IjoxNTQyMjE4NzIxLCJhdF9oYXNoIjoicGczLUszbjh3akZlenZiZi1FYXl1USIsInNpZCI6IjA0NWU2Mzg5MTc4ZDg2MTRiNTc4MmMzYWY4NThhOGZjIiwic3ViIjoiMDgxZDZhZmMtYjEwZC00YTYxLWFiMDktZmRhZjhhNjE0MTI5IiwiYXV0aF90aW1lIjoxNTQyMjE4NzE5LCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.hxVLqfAzmYamg89yhsWoYChzvUqrWFARuc0pqXYrRPP2wrfgVQ834PMHUtEk0BtqJTVXNzOgP38x3iiL3k7rw3P-dsVfBygiNSbDNQRYAjPCxSl4U7SNP0_1U6gbay3WZhRkntzAvvhOYrACghyB37DoT7EYvwnwOGYDUp0zpABoNaB4WuCwmQHV3vxkkLRUbz6uo3QSOyAxrvIVfEOXrOX-QafVcnyVjca1kWJronXRF4VWHhRDxx00j_SEuFaoXNZWA4aTyZ5zySZBEOaIQeS-d2ExE5xqdIWKd3VDu9dZ8nQmEikK4VNQVN-AGdzFXLTeT9BQjYKoqbG4_OAtdA
[13:05:21 VRB] Refresh token issued for mvc (MVC Client) / no subject: 034c4f17df4fe6879ef7b10cfa07b2d84a0a748d20e9249a856296db58b44fea
[13:05:21 VRB] Access token issued for mvc (MVC Client) / no subject: eyJhbGciOiJSUzI1NiIsImtpZCI6IkVDN0UyNjgyOTk4QkZDQjVFRTk3MUJDNzVGMTQxQkNGNTZEMjQyNDAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI3SDRtZ3BtTF9MWHVseHZIWHhRYnoxYlNRa0EifQ.eyJuYmYiOjE1NDIyMTg3MjEsImV4cCI6MTU0MjIyMjMyMSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJhcGkxIl0sImNsaWVudF9pZCI6Im12YyIsInN1YiI6IjA4MWQ2YWZjLWIxMGQtNGE2MS1hYjA5LWZkYWY4YTYxNDEyOSIsImF1dGhfdGltZSI6MTU0MjIxODcxOSwiaWRwIjoibG9jYWwiLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiZW1haWwiLCJhcGkxIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.a1Vy2yRh98ApFVe1jqK7jwTOoaMfnxWOwu8Qr4ENh_vtty7LPElzngnUrs-nw0Xt3C1oMVvy5Ok7ZB9iiMdHPm6YaSnpBkyvivjFv4ttBtsmdj-qB0nR9o1S8UgbiaEP3rhpK-1hflYGGI1cm7lOucVgi9HYmBKudvWsKa_7b44nbrriit4v9wF_cA4r95xDEfr8ZIOu2QsGhYSN9mQTRE_okj_aoigYVEr_Nw7_5BGV1cE8v7NmmREcX4kHJaBhQBpAJ9D4s9QK1at0sGJ_3AmNC97CzOiDkeC_mPWuOXSxfK9i_XgzHVDYXEZwuFaTowwmwTzTlHnnLZ_D6FjiRw
[13:05:21 DBG] Token request success.
[13:05:21 VRB] Invoking result: IdentityServer4.Endpoints.Results.TokenResult
[13:05:21 DBG] Connection id "0HLIABES76N39" completed keep alive response.
[13:05:21 INF] Request finished in 430.9773ms 200 application/json; charset=UTF-8
[13:05:21 INF] Request starting HTTP/1.1 GET http://localhost:5000/connect/userinfo
[13:05:21 VRB] All hosts are allowed.
[13:05:21 DBG] The request path /connect/userinfo does not match a supported file type
[13:05:21 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[13:05:21 DBG] AuthenticationScheme: Identity.Application was not authenticated.
[13:05:21 DBG] Request path /connect/userinfo matched to endpoint type Userinfo
[13:05:21 DBG] Endpoint enabled: Userinfo, successfully created handler: IdentityServer4.Endpoints.UserInfoEndpoint
[13:05:21 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
[13:05:21 DBG] Start userinfo request
[13:05:21 DBG] Bearer token found in header
[13:05:21 VRB] Calling into userinfo request validator: IdentityServer4.Validation.UserInfoRequestValidator
[13:05:21 VRB] Start access token validation
[13:05:21 DBG] mvc found in database: True
[13:05:21 DBG] mvc found in database: True
[13:05:21 DBG] Calling into custom token validator: IdentityServer4.Validation.DefaultCustomTokenValidator
[13:05:21 DBG] Token validation success
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1542218721,
"exp": 1542222321,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"api1"
],
"client_id": "mvc",
"sub": "081d6afc-b10d-4a61-ab09-fdaf8a614129",
"auth_time": 1542218719,
"idp": "local",
"scope": [
"openid",
"profile",
"email",
"api1",
"offline_access"
],
"amr": "pwd"
}
}
[13:05:21 VRB] Calling into userinfo response generator: IdentityServer4.ResponseHandling.UserInfoResponseGenerator
[13:05:21 DBG] Creating userinfo response
[13:05:21 DBG] Scopes in access token: openid profile email api1 offline_access
[13:05:21 DBG] Scopes in access token: openid profile email api1 offline_access
[13:05:21 DBG] Found ["openid", "profile", "email"] identity scopes in database
[13:05:21 DBG] Requested claim types: sub updated_at locale zoneinfo birthdate gender website picture family_name name profile preferred_username nickname middle_name given_name email email_verified
[13:05:21 DBG] Scopes in access token: openid profile email api1 offline_access
[13:05:21 DBG] Found ["openid", "profile", "email"] identity scopes in database
[13:05:21 INF] Profile service returned to the following claim types: sub name given_name family_name email email_verified website preferred_username
[13:05:21 DBG] End userinfo request
[13:05:21 VRB] Invoking result: IdentityServer4.Endpoints.Results.UserInfoResult
[13:05:21 DBG] Connection id "0HLIABES76N39" completed keep alive response.
[13:05:21 INF] Request finished in 256.1036ms 200 application/json; charset=UTF-8
任何帮助将不胜感激。
这是IS4发行的ValidatedAuthorizeRequest,其中包含客户信息
[13:21:00 INF] ValidatedAuthorizeRequest
{
"ClientId": "mvc",
"ClientName": "MVC Client",
"RedirectUri": "http://localhost:61000/signin-oidc",
"AllowedRedirectUris": [
"http://localhost:61000/signin-oidc",
"http://localhost:5000/signin-oidc"
],
"SubjectId": "081d6afc-b10d-4a61-ab09-fdaf8a614129",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile api1 offline_access email",
"State": "CfDJ8EzT-5PsjT5Htj2FYGOkFvypng74D54aal5fl_xHTuLrCVRVCQ7hdh7iEhwSe6bnkjRaLEH_heDufsxa6c59f0cHT-00AfhAu-4hOymVu8eIOhjcT5rDuMox5V616aTPJI7U5sYaav8Jhxn_8FS13PxXbwWCRK09stEQuo9eqNUgkaIHdIgZmvyo_wGhAD7W_kBNUvQHMLew6jfYjBFwKG6yy6io6Vo2IYlzBQCoQlX2Vs9iHRg7QNx2aXiObfhQGFht8gVh-HpeW_LbrSnlaOGyIG2bVbipE1hIx312JsmDi2aznaRSJ7awEnOVrLY74g",
"Nonce": "636778164429105771.N2E2YmVmY2QtODlmNS00NWI1LTllOGYtOTY0YjIzYjdmNDQwZDAyMDhlYmQtNGVjYS00MzM0LWI0OGQtZGYxNzM4ZDE1ZmU2",
"SessionId": "9c530abab1c6e8a9a3efc48ba989ddf8",
"Raw": {
"client_id": "mvc",
"redirect_uri": "http://localhost:61000/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile api1 offline_access email",
"response_mode": "form_post",
"nonce": "636778164429105771.N2E2YmVmY2QtODlmNS00NWI1LTllOGYtOTY0YjIzYjdmNDQwZDAyMDhlYmQtNGVjYS00MzM0LWI0OGQtZGYxNzM4ZDE1ZmU2",
"state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvypng74D54aal5fl_xHTuLrCVRVCQ7hdh7iEhwSe6bnkjRaLEH_heDufsxa6c59f0cHT-00AfhAu-4hOymVu8eIOhjcT5rDuMox5V616aTPJI7U5sYaav8Jhxn_8FS13PxXbwWCRK09stEQuo9eqNUgkaIHdIgZmvyo_wGhAD7W_kBNUvQHMLew6jfYjBFwKG6yy6io6Vo2IYlzBQCoQlX2Vs9iHRg7QNx2aXiObfhQGFht8gVh-HpeW_LbrSnlaOGyIG2bVbipE1hIx312JsmDi2aznaRSJ7awEnOVrLY74g",
"x-client-SKU": "ID_NETSTANDARD1_4",
"x-client-ver": "5.2.0.0"
}
}