【发布时间】:2021-06-18 08:45:16
【问题描述】:
基于 OpenIddict 的身份服务器在其自己的 [Authorized] 控制器中验证令牌,但在通过 /introspect 端点从另一个资源服务器访问时拒绝令牌。
在开发机器上一切正常。将服务部署到 Linux 服务器后会发生这种情况,其中服务托管在同一台机器的不同端口上。
这是我的日志中的实际异常:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'.
设置与此类似: https://github.com/openiddict/openiddict-samples/blob/dev/samples/Zirku/Zirku.Server/Startup.cs
这是我的 openiddict 设置:
services.AddOpenIddict()
.AddCore(options =>
{
// Configure OpenIddict to use the Entity Framework Core stores and models.
// Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>();
}).AddServer(options =>
{
// Enable the authorization, logout, token and userinfo endpoints.
options.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetIntrospectionEndpointUris("/connect/introspect")
.SetUserinfoEndpointUris("/connect/userinfo");
// Mark the "email", "profile" and "roles" scopes as supported scopes.
options.RegisterScopes(OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
// Note: this sample only uses the authorization code flow but you can enable
// the other flows if you need to support implicit, password or client credentials.
options.AllowAuthorizationCodeFlow().RequireProofKeyForCodeExchange();
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
// Register the signing and encryption credentials.
options.AddDevelopmentEncryptionCertificate();
// .AddDevelopmentSigningCertificate();
// Encryption and signing of tokens
options.AddEphemeralEncryptionKey()
.AddEphemeralSigningKey();
options.RegisterScopes(ApplicationConstants.MobileApiResource);
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(5));
options.SetIdentityTokenLifetime(TimeSpan.FromMinutes(15));
options.SetRefreshTokenLifetime(TimeSpan.FromHours(1));
// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
options.UseAspNetCore()
//todo remove the disable transport layer security
.DisableTransportSecurityRequirement()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
options.DisableAccessTokenEncryption();
})
.AddValidation(options =>
{
// Import the configuration from the local OpenIddict server instance.
options.UseLocalServer();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});
这是我的 API 上的设置:
services.AddAuthentication(options =>
{
options.DefaultScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
});
services.AddOpenIddict()
.AddValidation(options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the address of the introspection endpoint.
options.SetIssuer(identityUrl);
options.AddAudiences("client_id");
// Configure the validation handler to use introspection and register the client
// credentials used when communicating with the remote introspection endpoint.
options.UseIntrospection()
.SetClientId("client_id")
.SetClientSecret("secret");
// Register the System.Net.Http integration.
options.UseSystemNetHttp();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});
【问题讨论】:
-
明天分享你的概念和代码,然后我解决你的问题
标签: openiddict