我最近(几个月前)开始着手一个新项目,客户要求我实施自动登录机制。
这是我第一次使用IdentityServer以及oAuth2和OpenId的概念(没人知道它在我的地方是如何工作的,并且两年来一直如此)。 无论如何,我设法创建了一种解决方法来实现他们想要的所谓自动登录,即使用“ ResourceOwner”的新clientId。在主应用程序上一切正常,现在的问题是,当用户导航到第二个应用程序时,该应用程序的登录失败,我发现这是因为缺少id_token。
在使用ResourecOwner时,我尝试了很多方法来获取id_token,但无济于事。 在网上搜索并发现HERE,ResourceOwner不返回id_token,仅返回“ Implicit”和“ Authorization Code”。 也可以在网上搜索以找到如何使隐式工作或授权代码,但是我设法找到的是身份服务器4的代码,或者对于身份服务器3,仅是启动中使用的代码。项目的Auth.cs类。
1-这是配置的客户端:
new Client
{
ClientName = "Auto Login",
ClientId = "autoLogin",
Flow = Flows.ResourceOwner,
Enabled = true,
AccessTokenType = AccessTokenType.Reference,
AccessTokenLifetime = 86400,
ClientSecrets = new List<Secret>
{
new Secret("wontSayIt".Sha256())
},
AllowedScopes = new List<string>
{
"openid",
"profile",
"roles",
"sso.api",
"portal.accesstoken",
"portal.identitytoken",
StandardScopes.OfflineAccess.Name
},
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Absolute,
UpdateAccessTokenClaimsOnRefresh = true,
PrefixClientClaims = false
},
2-这是我用来获取access_token和refresh_token的代码
TokenClient client = new TokenClient(SSOTokenEndpoint, clientId, clientSecret);
Task<TokenResponse> tokenResponseResult = client.RequestResourceOwnerPasswordAsync(userEmail, userPassword, scope);
TokenResponse tokenResponse = tokenResponseResult.Result;
3-步骤2之后,我可以获取access_token和userinfo,然后以ResourceOwner身份登录
注意::在主应用程序上使用“常规”登录名(在登录屏幕上插入用户名和电子邮件)时,所有其他应用程序都可以正常工作,而在使用此“自动登录”功能时,在主要应用程序工作中,所有其他应用程序都失败了,我通过检查日志来发现他们得到subjectId = unknown
以下是使用“正常”进入第二个应用程序时的响应日志:
w3wp.exe Information: 0 : 2019-10-02 14:41:33.825 +01:00 [Information] "Authorize request validation success"
"{
\"ClientId\": \"webAppSecondary\",
\"ClientName\": \"web App Secondary\",
\"RedirectUri\": \"https://localhost:44391/externallogincallback\",
\"AllowedRedirectUris\": [
\"https://localhost:44391/externallogincallback\"
],
\"SubjectId\": \"0b5ee3c1-a372-4e36-b49f-67c775cbb7cd\",
\"ResponseType\": \"id_token\",
\"ResponseMode\": \"fragment\",
\"Flow\": \"Implicit\",
\"RequestedScopes\": \"openid\",
\"State\": \"7d1a0179daff43a484f18373f77bff53\",
\"Nonce\": \"d726f7aabc5a47188572abf9fb700c2d\",
\"PromptMode\": \"none\",
\"SessionId\": \"4b2fcfdb509683d4902cc4096427e2d9\",
\"Raw\": {
\"client_id\": \"webAppSecondary\",
\"redirect_uri\": \"https://localhost:44391/externallogincallback\",
\"response_type\": \"id_token\",
\"scope\": \"openid\",
\"state\": \"7d1a0179daff43a484f18373f77bff53\",
\"nonce\": \"d726f7aabc5a47188572abf9fb700c2d\",
\"prompt\": \"none\"
}
}"
w3wp.exe Information: 0 : 2019-10-02 14:41:34.001 +01:00 [Information] Creating Implicit Flow response.
2019-10-02 14:41:34.004 +01:00 [Debug] Creating identity token
w3wp.exe Information: 0 : 2019-10-02 14:41:34.005 +01:00 [Information] Getting claims for identity token for subject: 0b5ee3c1-a372-4e36-b49f-67c775cbb7cd
2019-10-02 14:41:34.268 +01:00 [Debug] Creating JWT identity token
2019-10-02 14:41:34.277 +01:00 [Debug] Adding client "webAppSecondary" to client list cookie for subject "0b5ee3c1-a372-4e36-b49f-67c775cbb7cd"
这是使用“自动登录”进入第二个应用程序时的响应日志:
w3wp.exe Information: 0 : 2019-10-02 14:44:52.871 +01:00 [Information] "Authorize request validation success"
"{
\"ClientId\": \"webAppSecondary\",
\"ClientName\": \"web App Secondary\",
\"RedirectUri\": \"https://localhost:44391/externallogincallback\",
\"AllowedRedirectUris\": [
\"https://localhost:44391/externallogincallback\"
],
\"SubjectId\": \"unknown\",
\"ResponseType\": \"id_token\",
\"ResponseMode\": \"fragment\",
\"Flow\": \"Implicit\",
\"RequestedScopes\": \"openid\",
\"State\": \"d08713eedca74d1b9f5904f15a4fc154\",
\"Nonce\": \"7e961d2c9f4a4eb9b19f510b0ab4d2b2\",
\"PromptMode\": \"none\",
\"Raw\": {
\"client_id\": \"webAppSecondary\",
\"redirect_uri\": \"https://localhost:44391/externallogincallback\",
\"response_type\": \"id_token\",
\"scope\": \"openid\",
\"state\": \"d08713eedca74d1b9f5904f15a4fc154\",
\"nonce\": \"7e961d2c9f4a4eb9b19f510b0ab4d2b2\",
\"prompt\": \"none\"
}
}"
w3wp.exe Information: 0 : 2019-10-02 14:44:52.878 +01:00 [Information] User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : 2019-10-02 14:44:52.880 +01:00 [Information] prompt=none was requested. But user is not authenticated.
w3wp.exe Information: 0 : 2019-10-02 14:44:52.887 +01:00 [Information] End authorize request