授权服务器不支持使用此方法获取令牌

时间:2019-07-25 20:42:57

标签: oauth oauth-2.0 authorization single-sign-on token

我将ORY Hydra用作授权服务器,并且尝试在调用授权端点时获取id_token和access_token。

这是创建我的客户的方式

docker run --rm oryd/hydra clients create --audience my-aud -c http://localhost:3000 -g implicit --id test_token -n "Test getting an id_token" -a api,offline,openid -r id_token,token --token-endpoint-auth-method client_secret_post --endpoint http://10.1.0.147:4445

现在,如果我使用response_type = token呼叫客户,那么我只能在响应中获取访问令牌

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

我得到答复

#access_token=eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpmNTNhODI5Yi0wODFiLTQyMWItOTY3MS1kZWVkOGJlMTIxYzkiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiYXVkLWFwaSJdLCJjbGllbnRfaWQiOiJjb3JldGVjaF9jbGllbnQiLCJleHAiOjE1NjQwOTA3NDUsImV4dCI6eyJzdWJfaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciJ9LCJpYXQiOjE1NjQwODcxNDUsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDQ0NC8iLCJqdGkiOiJmZTA3Y2JjMC00Y2FiLTRkNjktYmNlYS05MzRhNzNhOTkxMzYiLCJuYmYiOjE1NjQwODcxNDUsInNjcCI6WyJhcGlfc2NvcGUiXSwic3ViIjoiOTU3ZTA4ZjYtZTgyMy00ZTBjLThkODAtZDU3NTM2NmNhYTgxIn0.r97Vp_tmVOMpar3OSiOhNEI6PxzLoKtHE6CEezVsteamf7_qOhP6pbIvW91D8EZutGUuG4sxaDpunNv22R9hVyIGqVHqssAPLk5k7f00_UNp4ZuSswHqPj7L1O2JOp6zx-Ybrs_XTy3qaH9Yt-ofB35Y95DTyIabTIbuCyz2q24soWbf7j3yhseU6OJYq66qnw2PyhhskUKlLiaWcapioH4vnKJwg2aq1G_NKTGnuM3-w7XjR0TWVUBk9UDYDl4yo_eZJ5gA71ew6g44eO-ubdpjS1ITbsS5Dda8-R8jvmooHnr8uS3yJ5vATnwgNMfSEwBMEvodeWLloj9w0pDUaj8-9X6MDDxXMitBYjRgMulQUc2J-bkZM0_I0V6gyrj2NY_T3wDR6vbDvGG9n2J-KRbzIp1UE3c_LOfeUyW0xNEksBTJkFBIcS5BY0L_PE8rdGeyJ9iHEIBpWYA7MZKymu2-o9qoBa_kTzMTKj_v98c_BEnnKs7-F1WqecO-YP6pPKX9rTBQhe-pf4iC4yeObngkPIcJE5j_TQlTyUwyW5LZJN2xJglGugeuAdS2LMh0MNuaeaFGttOobOS2pUaIbgdvKxV2oV3fxWPh5h8a7iEsJC4VD75CApQIc5l6EeMaHRLN2mAIodRP-Mae6ht9556X4ghloZ50v-WczGAvq3I&expires_in=3599&scope=api&state=n3vxns17tfx7xpkkm5v9dw0bb6565s8&token_type=bearer

但是,如果我现在在授权端点参数中包括id_token 

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=id_token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

同意后,出现以下错误

?error=unsupported_response_type&error_description=The+authorization+server+does+not+support+obtaining+a+token+using+this+method&state=k3g94uqdy5ippyakeohsrwkpkrm1uh

我在这里做错了什么?

1 个答案:

答案 0 :(得分:0)

error = unsupported_response_type

这意味着ory / hydra Openid Connect提供程序不支持您请求的响应类型。

并仅检查其GIT repositoryit is certified是否有以下个人资料,

  

以下OpenID配置文件已通过认证:

     
      
  • 基本OpenID提供程序(响应类型代码)
    •   
  • 隐式OpenID提供程序(响应类型为id_token,id_token + token)
    •   
  • 混合OpenID提供程序(响应类型为code + id_token,code + id_token + token,code + token)
    •   

因此,您需要相应地更改响应类型以匹配其支持的内容。

无论如何,请注意隐式和混合流。尽管它们是由OpenID Connect规范定义的,但不建议使用它们。取而代之的是使用授权码流程(按照上述说明,使用基本的openid提供程序。)

相关问题
最新问题