IdentityServer 3 id_token自动登录

时间:2019-10-02 16:08:29

标签: jwt access-token identityserver3

我最近(几个月前)开始着手一个新项目,客户要求我实施自动登录机制。

这是我第一次使用IdentityServer以及oAuth2和OpenId的概念(没人知道它在我的地方是如何工作的,并且两年来一直如此)。 无论如何,我设法创建了一种解决方法来实现他们想要的所谓自动登录,即使用“ ResourceOwner”的新clientId。在主应用程序上一切正常,现在的问题是,当用户导航到第二个应用程序时,该应用程序的登录失败,我发现这是因为缺少id_token。

在使用ResourecOwner时,我尝试了很多方法来获取id_token,但无济于事。 在网上搜索并发现HERE,ResourceOwner不返回id_token,仅返回“ Implicit”和“ Authorization Code”。 也可以在网上搜索以找到如何使隐式工作或授权代码,但是我设法找到的是身份服务器4的代码,或者对于身份服务器3,仅是启动中使用的代码。项目的Auth.cs类。

1-这是配置的客户端:

new Client
{
    ClientName = "Auto Login",
    ClientId = "autoLogin",
    Flow = Flows.ResourceOwner,
    Enabled = true,
    AccessTokenType = AccessTokenType.Reference,
    AccessTokenLifetime = 86400, 
    ClientSecrets = new List<Secret>
    {
        new Secret("wontSayIt".Sha256())
    },
    AllowedScopes = new List<string>
    {
        "openid",
        "profile",
        "roles",
        "sso.api",
        "portal.accesstoken",
        "portal.identitytoken",
        StandardScopes.OfflineAccess.Name
    },
    RefreshTokenUsage = TokenUsage.OneTimeOnly,
    RefreshTokenExpiration = TokenExpiration.Absolute,
    UpdateAccessTokenClaimsOnRefresh = true,
    PrefixClientClaims = false
},

2-这是我用来获取access_token和refresh_token的代码

TokenClient client = new TokenClient(SSOTokenEndpoint, clientId, clientSecret);
Task<TokenResponse> tokenResponseResult = client.RequestResourceOwnerPasswordAsync(userEmail, userPassword, scope);
TokenResponse tokenResponse = tokenResponseResult.Result;

3-步骤2之后,我可以获取access_token和userinfo,然后以ResourceOwner身份登录

注意::在主应用程序上使用“常规”登录名(在登录屏幕上插入用户名和电子邮件)时,所有其他应用程序都可以正常工作,而在使用此“自动登录”功能时,在主要应用程序工作中,所有其他应用程序都失败了,我通过检查日志来发现他们得到subjectId = unknown

以下是使用“正常”进入第二个应用程序时的响应日志:

w3wp.exe Information: 0 : 2019-10-02 14:41:33.825 +01:00 [Information] "Authorize request validation success"
 "{
  \"ClientId\": \"webAppSecondary\",
  \"ClientName\": \"web App Secondary\",
  \"RedirectUri\": \"https://localhost:44391/externallogincallback\",
  \"AllowedRedirectUris\": [
    \"https://localhost:44391/externallogincallback\"
  ],
  \"SubjectId\": \"0b5ee3c1-a372-4e36-b49f-67c775cbb7cd\",
  \"ResponseType\": \"id_token\",
  \"ResponseMode\": \"fragment\",
  \"Flow\": \"Implicit\",
  \"RequestedScopes\": \"openid\",
  \"State\": \"7d1a0179daff43a484f18373f77bff53\",
  \"Nonce\": \"d726f7aabc5a47188572abf9fb700c2d\",
  \"PromptMode\": \"none\",
  \"SessionId\": \"4b2fcfdb509683d4902cc4096427e2d9\",
  \"Raw\": {
    \"client_id\": \"webAppSecondary\",
    \"redirect_uri\": \"https://localhost:44391/externallogincallback\",
    \"response_type\": \"id_token\",
    \"scope\": \"openid\",
    \"state\": \"7d1a0179daff43a484f18373f77bff53\",
    \"nonce\": \"d726f7aabc5a47188572abf9fb700c2d\",
    \"prompt\": \"none\"
  }
}"
w3wp.exe Information: 0 : 2019-10-02 14:41:34.001 +01:00 [Information] Creating Implicit Flow response.
2019-10-02 14:41:34.004 +01:00 [Debug] Creating identity token
w3wp.exe Information: 0 : 2019-10-02 14:41:34.005 +01:00 [Information] Getting claims for identity token for subject: 0b5ee3c1-a372-4e36-b49f-67c775cbb7cd
2019-10-02 14:41:34.268 +01:00 [Debug] Creating JWT identity token
2019-10-02 14:41:34.277 +01:00 [Debug] Adding client "webAppSecondary" to client list cookie for subject "0b5ee3c1-a372-4e36-b49f-67c775cbb7cd"

这是使用“自动登录”进入第二个应用程序时的响应日志:

w3wp.exe Information: 0 : 2019-10-02 14:44:52.871 +01:00 [Information] "Authorize request validation success"
 "{
  \"ClientId\": \"webAppSecondary\",
  \"ClientName\": \"web App Secondary\",
  \"RedirectUri\": \"https://localhost:44391/externallogincallback\",
  \"AllowedRedirectUris\": [
    \"https://localhost:44391/externallogincallback\"
  ],
  \"SubjectId\": \"unknown\",
  \"ResponseType\": \"id_token\",
  \"ResponseMode\": \"fragment\",
  \"Flow\": \"Implicit\",
  \"RequestedScopes\": \"openid\",
  \"State\": \"d08713eedca74d1b9f5904f15a4fc154\",
  \"Nonce\": \"7e961d2c9f4a4eb9b19f510b0ab4d2b2\",
  \"PromptMode\": \"none\",
  \"Raw\": {
    \"client_id\": \"webAppSecondary\",
    \"redirect_uri\": \"https://localhost:44391/externallogincallback\",
    \"response_type\": \"id_token\",
    \"scope\": \"openid\",
    \"state\": \"d08713eedca74d1b9f5904f15a4fc154\",
    \"nonce\": \"7e961d2c9f4a4eb9b19f510b0ab4d2b2\",
    \"prompt\": \"none\"
  }
}"
w3wp.exe Information: 0 : 2019-10-02 14:44:52.878 +01:00 [Information] User is not authenticated. Redirecting to login.
w3wp.exe Information: 0 : 2019-10-02 14:44:52.880 +01:00 [Information] prompt=none was requested. But user is not authenticated.
w3wp.exe Information: 0 : 2019-10-02 14:44:52.887 +01:00 [Information] End authorize request

0 个答案:

没有答案
相关问题
最新问题