IdentityServer4始终返回“错误”:“ invalid_scope”
我正在使用IdentityServer4(4.0.4),但是它不返回access_token,而是始终返回:"error": "invalid_scope"
仅通过添加以下代码以及Nuget包IdentityServer4(4.0.4)和IdentityServer4.EntityFramework(4.0.4),即可重新创建错误。在请求中添加“作用域”没有任何区别。
这是邮递员触发的端点:
这是我的Config类:
using IdentityServer4;
using IdentityServer4.Models;
using System.Collections.Generic;
using System.Linq;
namespace WebApplication1
{
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("ApiName", "ApiDisplayName")
};
}
public static List<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile() // <-- usefull
};
}
public static IEnumerable<Client> GetClients()
{
return new[]
{
// for public api
new Client
{
ClientId = "secret_client_id",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"ApiName"
}
}
};
}
}
}
这是我的Startup班:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace WebApplication1
{
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddOperationalStore(options =>
{
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddInMemoryIdentityResources(Config.GetIdentityResources());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIdentityServer();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapGet("/", async context =>
{
await context.Response.WriteAsync("Hello World!");
});
});
}
}
}
4 个答案:
答案 0 :(得分:2)
正如@DES PRO 提到的,您需要在配置文件中添加 ApiScope,如下所示。
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope(name: "ApiOne")
};
}
然后将作用域添加到 Startup.cs 类中的 ConfigureService。这回答了@raphael 的问题“Scopes 类在哪里使用?”
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddInMemoryApiResources(Configuration.GetApis())
.AddInMemoryClients(Configuration.GetClients())
.AddInMemoryApiScopes(Configuration.GetApiScopes())
.AddDeveloperSigningCredential();
services.AddControllersWithViews();
}
答案 1 :(得分:1)
您必须在配置中添加ApiScope。在最新的IdentityServer4中进行了更改 就是这样:
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope(name: "read", displayName: "Read your data."),
new ApiScope(name: "write", displayName: "Write your data."),
new ApiScope(name: "delete", displayName: "Delete your data."),
new ApiScope(name: "identityserverapi", displayName: "manage identityserver api endpoints.")
};
}
答案 2 :(得分:0)
您必须始终包括 openid 范围,因为这是OpenID-Connect中的必需范围。
在IdentityServer中,StandardScopes在此处定义 https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/IdentityServerConstants.cs
但是实际上它只是一个字符串。因此,您可以使用“ openid”或IdentityServerConstants.StandardScopes.OpenId
答案 3 :(得分:0)
再次确认您的客户端没有查看ApiScopes配置中未配置的范围。在下面的示例中,我的客户注册正在查看“ THIS_IS_AN_INVALID_SCOPE”,但实际上ApiScopes中没有定义此范围。
public static class Scopes
{
public static IEnumerable<ApiScope> Get()
{
return new[]
{
new ApiScope("ProtectedResource.Scope1", "Access to ProtectedResource.Scope1"),
new ApiScope("ProtectedResource.Scope2", "Access to ProtectedResource.Scope2")
};
}
}
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new List<Client>
{
new Client
{
ClientId = "IntegrationTests",
ClientName = "Example client application using client credentials",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {new Secret("not_the_actual_password".Sha256())},
AllowedScopes = new List<string> {"THIS_IS_AN_INVALID_SCOPE"},
AccessTokenLifetime = 300 //5 Minutes
},
};
}
}
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?