Blazor IdentityServer 身份验证

时间:2021-01-17 17:00:06

标签: asp.net blazor identityserver4

目前我有三个独立的服务器。客户端:5001,API :5002 和 IdentityServer:5003。我可以使用 @attribute [Authorize] 验证我的 Blazor 页面,但是当我调用 API 时,我收到 401 错误。如果我将 token_id 传递给邮递员并向 API 服务器发出请求,它会进行身份验证。如果我从 Blazor 客户端发出请求,它将失败。我已将 CORS 列入白名单以排除该问题。如果我删除了 api 上的受众检查:

                    options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateAudience = false
                    };

有效

客户端程序.cs

            builder.Services.AddHttpClient("api")
                .AddHttpMessageHandler(sp => 
                {
                    var handler = sp.GetService<AuthorizationMessageHandler>()
                        .ConfigureHandler(
                            authorizedUrls: new[] { "https://localhost:5002" },
                            scopes: new[] { "coredesk" });
                    return handler;
                });
            
            builder.Services.AddScoped(
                sp => sp.GetService<IHttpClientFactory>().CreateClient("api"));
            
            builder.Services.AddOidcAuthentication(options =>
            {
                builder.Configuration.Bind("oidc", options.ProviderOptions);
            });

客户端 appsettings.json

{
  "oidc": {
    "Authority": "https://localhost:5003/",
    "ClientId": "coredesk",
    "DefaultScopes": [
      "openid",
      "profile",
      "coredesk"
    ],
    "PostLogoutRedirectUri": "/",
    "ResponseType": "code"
  }
}

API Startup.cs

            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.Authority = "https://localhost:5003";
                    options.Audience = "coredesk";
                });

IdentityServer 配置文件

        public static IEnumerable<IdentityResource> IdentityResources =>
            new IdentityResource[]
            {
                new IdentityResources.OpenId(),
                new IdentityResources.Profile(),
            };
        
        public static IEnumerable<ApiResource> Apis =>
            new ApiResource[]
            {
                new ApiResource("coredesk", "CoreDesk API")
            };

        public static IEnumerable<ApiScope> ApiScopes =>
            new ApiScope[]
            {
                new ApiScope("coredesk"),
            };

        public static IEnumerable<Client> Clients =>
            new Client[]
            {
                new Client
                {
                    ClientId = "coredesk",
                    AllowedGrantTypes = GrantTypes.Code,
                    RequirePkce = true,
                    RequireClientSecret = false,
                    AllowedCorsOrigins = { "https://localhost:5001", "https://localhost:5002" },
                    AllowedScopes = { "openid", "profile", "coredesk" },
                    RedirectUris = { "https://localhost:5001/authentication/login-callback" },
                    PostLogoutRedirectUris = { "https://localhost:5001/" },
                    Enabled = true
                },
            };

1 个答案:

答案 0 :(得分:0)

如果您查看 AddJwtBearer 的源代码,您会发现这一部分:

                // If no authorization header found, nothing to process further
                if (string.IsNullOrEmpty(authorization))
                {
                    return AuthenticateResult.NoResult();
                }

                if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
                {
                    token = authorization.Substring("Bearer ".Length).Trim();
                }

                // If no token found, no further work possible
                if (string.IsNullOrEmpty(token))
                {
                    return AuthenticateResult.NoResult();
                }

这表明默认情况下(没有自定义)它需要在 Authorization 标头中提供令牌,如下所示:

GET /api/payments HTTP/1.1
Host: localhost:7001
Authorization: Bearer eyJhbGciOiJSUzI1NiIsIYwA...

为了进一步调试,我将删除授权属性,然后在其中一个操作方法中放置一个断点并检查 ClaimsPrincipal 用户对象包含的内容。

相关问题
最新问题