我在身份服务器4中使用OIDC客户端JS并做出反应,不断收到错误
public static IEnumerable<Client> GetClients()
{
// client credentials client
return new List<Client>
{
new Client
{
ClientId = "Local",
//ClientName = "Local",
AllowedCorsOrigins = new List<string> { "http://localhost:4200","https://localhost:4200" },
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime=86400,
RequireConsent = false,
UpdateAccessTokenClaimsOnRefresh = true,
RedirectUris = LocalRedirectUris(),
PostLogoutRedirectUris = LocalRedirectUris(),
AllowedScopes = AllowedScopes(),
AllowOfflineAccess = true,
}
};
}
关于授权代码流,
Oidc设置
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
info: IdentityServer4.Events.DefaultEventService[0]
{
"Name": "Client Authentication Failure",
"Category": "Authentication",
"EventType": "Failure",
"Id": 1011,
"ClientId": "Local",
"Message": "Invalid client secret",
"ActivityId": "0HLVQDNPJELVT:00000015",
"TimeStamp": "2020-05-17T14:26:15Z",
"ProcessId": 11600,
"LocalIpAddress": "::1:5001",
"RemoteIpAddress": "::1"
}
fail: IdentityServer4.Validation.ClientSecretValidator[0]
Client secret validation failed for client: Local.
Identity Server 4配置
Content-Type: application/x-www-form-urlencoded
从Identity Server登录
client_id: Local
code: Pu5XVqWcaOavZYWOJqy07gHU7WYJ3aCQ_NBkpzszLnA
redirect_uri: https%3A%2F%2Flocalhost%3A5001%2Fauth-callback
code_verifier: 7985598b08fe49c49c37e3ef9e909295aeacc16b1b904e8990d7438cc60edb377bd31ee6d466489bbde9c75170470048
grant_type: authorization_code
在https://localhost:5001/connect/token上收到400个错误的请求
id
FORM-DATA
degree
答案 0 :(得分:2)
您根本不会对基于JavaScript的单页应用程序(SPA)(例如React)使用“客户端机密”。这是因为无法信任这些基于浏览器的应用程序以安全地保密。 SPA的推荐方法是使用PKCE的授权码流(非隐式)。您应该考虑实现这一目标。
编辑:为此,您需要在客户端设置中将RequireClientSecret = false和RequirePkce = true设置。