OIDC /身份4-遇到意外的401错误

时间:2019-04-22 02:52:49

标签: angular identityserver4 oidc

这是我的基本设计: 使用OIDC Javascript库实现安全性的Angular 7前端 适用于所有数据层工作的.NET Core v2 API 用于OAuth的.NET Core Identity 4服务器(与API分开的服务器)

我收到许多意外的401错误。这些不应该发生,用户已授权,我可以在日志中看到该用户已授权。因此,我只能认为这一定是时序问题或设置问题。安全在大多数情况下都有效,可以说有90%到95%的时间可以正常工作,因此我的基本设置很好。除了计时问题外,我不知道该怎么办。

这是我的OIDC配置:

    const config = {
    clockSkew: 60*60*24*365*100,    // Effectively disable clock skew
    authority: Endpoint.STSAuthority,
    client_id: Constants.clientKey,
    redirect_uri: `${location.protocol}//${location.host}/assets/loginRedirect.html`,
    scope: `openid profile ${Constants.apiKey} `,
    response_type: 'id_token token',
    post_logout_redirect_uri: `${location.protocol}//${location.host}/assets/logoutRedirect.html`,
    userStore: new WebStorageStateStore({ store: window.localStorage }),
    automaticSilentRenew: true,
    staleStateAge: 60 * 60,        // 60 minutes
    accessTokenExpiringNotificationTime: 60 * 2,    // 2 minutes
    silent_redirect_uri: `${location.protocol}//${location.host}/assets/silentRedirect.html`
    };

这是我的STS配置:

    new Client
    {
    ClientId = $"Example-STS-{this._programSettings.Site}",
    ClientName = $"Example {this._programSettings.Site} STS",
    AllowedGrantTypes = GrantTypes.Implicit,
    AllowAccessTokensViaBrowser = true,
    RequireConsent = false,
    RedirectUris = this._securitySection.RedirectUris,
    PostLogoutRedirectUris = this._securitySection.PostLogoutRedirectUris,
    AllowedCorsOrigins = new List<string> { this._securitySection.AllowFrom },
    AllowedScopes =
    {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    $"Example-API-{this._programSettings.Site}"
    },
    IdentityTokenLifetime=60*30,  // 30 minutes
    AccessTokenLifetime=60*60*2,  // 2 hours
    }

这是我的OIDC对象在401未经授权时的转储(个人信息已删除):

    User: {
    "_settings": {
        "_response_type": "id_token",
        "_scope": "openid",
        "_filterProtocolClaims": true,
        "_loadUserInfo": true,
        "_staleStateAge": 900,
        "_clockSkew": 3153600000,
        "_userInfoJwtIssuer": "OP",
        "_stateStore": {
            "_store": {
                "authContext": {
                    "loginKey": "68F7AD86DE3B427C98B02DF1BE7D9959",
                    "id": "5d77965b-e874-45e1-bb1f-08a6eaf2e773"
                },
                "oidc.b0add291aa304938b8246800c7729912": {
                    "id": "b0add291aa304938b8246800c7729912",
                    "created": 1555734037,
                    "nonce": "5476718e1373406bab9e452b8f9dbf31",
                    "redirect_uri": "https://www.example.com/assets/silentRedirect.html",
                    "authority": "https://prodsts.example.com:4252/",
                    "client_id": "example-STS-Prod"
                },
                "oidc.user:https://prodsts.example.com:4252/:example-STS-Prod": {
                    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhhZjhkODA0ZGNlNWI3NjZjODZlZTJmZjRhYzY4YWMwIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTU3MjUwNzIsImV4cCI6MTU1NTcyNjg3MiwiaXNzIjoiaHR0cHM6Ly9wcm9kc3RzLmJvb21lcmFuZ2RtLmNvbTo0MjUyIiwiYXVkIjoiQm9vbWVyYW5nRE0tU1RTLVByb2QiLCJub25jZSI6IjdjMDE2ZWJiZWJlYzRiNjg5Y2U5NTMwOTkyYmQxMGI3IiwiaWF0IjoxNTU1NzI1MDcyLCJhdF9oYXNoIjoid3p4LTQtRlhFNnJOSkQ1ZjI3M1BTUSIsInNpZCI6ImM2ZWVjZTg4NmQ1NGFhZTY2YmYxOWYwNDk4NTljMjhiIiwic3ViIjoiNWQ3Nzk2NWItZTg3NC00NWUxLWJiMWYtMDhhNmVhZjJlNzczIiwiYXV0aF90aW1lIjoxNTU1NjkxNTQ0LCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.fBdgtLfWwnlLoi-T21c2VP2Wqt2fHo6l3eV_FKiXpyqrpdzAxqxOintXec-SJK1LwChMdy966xCFlVYp6jm5XwTfTPBPshNYeBPx9O0QOA0JYL33LvMGmgl4igV_wTscIPq6qnBpd75nagSvWT-IZgByxSygmh-JIuBQVqJPOpneoZCtLaeaVIyNzxLbCozc_pEc-kVqHGRbYEmDxU5mGdCdaKjAi0dCfJ3D3mDN8joQfwtK8PEuCKa5CPMgymkRAEJpfTY39DklLurUNyBKA9fJ6J95ys1dF3McgqEwdOZv37s2IialwpeYXOsFPlwpOh9_cvV5dS2wDav9H56pqA",
                    "session_state": "UCh5OQis7ikprYhHbUpjeS0GVMQ4S8XD2OrzA0Am4wU.0bd43c3337b6dc18bc7e7020f1f6ecb8",
                    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhhZjhkODA0ZGNlNWI3NjZjODZlZTJmZjRhYzY4YWMwIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NTU3MjUwNzIsImV4cCI6MTU1NTcyODY3MiwiaXNzIjoiaHR0cHM6Ly9wcm9kc3RzLmJvb21lcmFuZ2RtLmNvbTo0MjUyIiwiYXVkIjpbImh0dHBzOi8vcHJvZHN0cy5ib29tZXJhbmdkbS5jb206NDI1Mi9yZXNvdXJjZXMiLCJCb29tZXJhbmdETS1BUEktUHJvZCJdLCJjbGllbnRfaWQiOiJCb29tZXJhbmdETS1TVFMtUHJvZCIsInN1YiI6IjVkNzc5NjViLWU4NzQtNDVlMS1iYjFmLTA4YTZlYWYyZTc3MyIsImF1dGhfdGltZSI6MTU1NTY5MTU0NCwiaWRwIjoibG9jYWwiLCJBc3BOZXQuSWRlbnRpdHkuU2VjdXJpdHlTdGFtcCI6IkgyR1BFV0tBSFZZVlFNNkhHT1dYQVVITVVaUFJNTjVHIiwiQm9vbWVyYW5nSWQiOiIxMjY3OSIsInJvbGUiOiJTdWJzY3JpYmVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiRXJpY1NlbGxzVmVnYXNMaXN0aW5ncy5Db20iLCJuYW1lIjoiRXJpY1NlbGxzVmVnYXNMaXN0aW5ncy5Db20iLCJlbWFpbCI6IkVyaWNTZWxsc1ZlZ2FzTGlzdGluZ3NAR21haWwuQ29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiQm9vbWVyYW5nRE0tQVBJLVByb2QiXSwiYW1yIjpbInB3ZCJdfQ.sA0ST_9pka0jqlG7P1gAguGUm2mQ--swVP7cRJ9vC6eFYhW1bkQXEkdF0NkA9Ks0olOkERlwqN6etLfO7rB01RtugDOLzcr9OJgw7ScgaGDlS7oVH0R_ElEXLoE9iPqUfH2fQpV-CtIyGBC3Ceapvv0OqZUZgGkpZR_bRTUfOKCGdfSa1syESeoW5-JhL_8-AhLBRjH8jILMk5iUAkGgPkMtvRp3qudvhpLmp1Ya_l9-QO192P3bMifrqj7ABCzjucffiuNrApalWTCv_K7HbdMXWMwuF6mGjLO75GwsGMMHl7vAl6sGu7N1HaWRRTVViQb_YiwxgqJhlJ1zRxvQnQ",
                    "token_type": "Bearer",
                    "scope": "openid profile example-API-Prod",
                    "profile": {
                        "sid": "c6eece886d54aae66bf19f049859c28b",
                        "sub": "5d77965b-e874-45e1-bb1f-08a6eaf2e773",
                        "auth_time": 1555691544,
                        "idp": "local",
                        "amr": [
                            "pwd"
                        ],
                        "AspNet.Identity.SecurityStamp": "H2GPEWKAHVYVQM6HGOWXAUHMUZPRMN5G",
                        "ExampleId": "12679",
                    },
                    "expires_at": 1555728667
                }
            },
            "_prefix": "oidc."
        },

1 个答案:

答案 0 :(得分:2)

我认为您一定会在ClockSkew上遇到问题:

clockSkew: 60*60*24*365*100,    // Effectively disable clock skew

时钟偏斜的值应在令牌到期后的几分钟内,因为它仅用于说明异步时钟。

当您拥有一个具有两个小时的生命周期和100年的时滞的访问令牌时,您会期望什么?用户应该经过多长时间的认证?

我可以想象在令牌到期后的某个时候令牌会被拒绝。

您应该将时钟偏移设置为五分钟(默认)或更短时间,并且可能使用refresh tokens