【问题标题】:AuthorizeRequestValidator: Error: Invalid grant type for client: implicitAuthorizeRequestValidator:错误:客户端的授权类型无效:隐式
【发布时间】:2018-11-02 09:36:07
【问题描述】:

我正在尝试在 .NET Core 2.0 MVC 上设置 Identity Server 4 HybridAndClientCredentials

我正在努力解决这个错误:

客户端的授权类型无效:隐式

即使我的代码中有:

AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

我已经下载了示例快速入门,并且运行正常,但是我无法使用我的代码找到该行缺少的部分。

调试输出:

IdentityServer4.Validation.AuthorizeRequestValidator:
Error: Invalid grant type for client: implicit
{
  "ClientId": "consultee",
  "ClientName": "consultee Client test",
  "RedirectUri": "http://consultee.mi.local:44352/signin-oidc",
  "AllowedRedirectUris": [
    "http://consultee.mi.local:44352/signin-oidc"
  ],
  "SubjectId": "anonymous",
  "ResponseType": "id_token",
  "ResponseMode": "form_post",
  "GrantType": "implicit",
  "RequestedScopes": "",
  "State": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
  "Raw": {
    "client_id": "consultee",
    "redirect_uri": "http://consultee.mi.local:44352/signin-oidc",
    "response_type": "id_token",
    "scope": "openid profile api1 offline_access",
    "response_mode": "form_post",
    "nonce": "636626718480261618.MDYwZjE0MjMtNzczMi00ZjQ4LTk0NWUtZjQ1ZDNjM2VjZTRhOWI0NWM0MjMtNGM3Ni00ZDA3LWIyZDctMDcwNTc3ZDU0NGYy",
    "state": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
    "x-client-SKU": "ID_NET",
    "x-client-ver": "2.1.4.0"
  }
}

客户:

new Client
{
    ClientId = "consultee",
    ClientName = "consultee Client test",
    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },

    RedirectUris = { "http://consultee.mi.local:44352/signin-oidc" },
    PostLogoutRedirectUris = { "http://consultee.mi.local:44352/signout-callback-oidc" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "api1"
    },
    AllowOfflineAccess = true,
    AllowAccessTokensViaBrowser = true,
}

ConfigurationService 在客户端:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("Cookies")
        .AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["identityServerUri"];
            options.RequireHttpsMetadata = false;

            options.ClientId = "consultee";
            options.ClientSecret = "secret";

            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("api1");
            options.Scope.Add("offline_access");
        });
}

ConfigurationServiceIdServer:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        // configure identity server with in-memory stores, keys, clients and scopes
        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
            .AddTestUsers(Config.GetUsers());

        services.AddAuthentication();

    }

【问题讨论】:

  • 对不起!我不完全理解,但这对我有用:offline_access 和 options.ResponseType = "code id_token token"; (at client)

标签: c# oauth oauth-2.0 asp.net-core-2.0 identityserver4


【解决方案1】:

当您在表单数据中的“用户名”中输入错误时,也会出现同样的问题。使用西里尔字母时的拼写错误尤其可怕。

【讨论】:

    【解决方案2】:

    日志告诉你问题是什么

    错误:客户端的授权类型无效:隐式

    您正在作为隐式客户端登录。

    .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";
    
                options.Authority = Configuration["identityServerUri"];
                options.RequireHttpsMetadata = false;
    
                options.ClientId = "consultee";
                options.ClientSecret = "secret";
    
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
    
                options.Scope.Add("api1");
                options.Scope.Add("offline_access");
            });
    

    您已在身份服务器中配置了混合客户端

    new Client
                {
                    ClientId = "consultee",
                    ClientName = "consultee Client test",
                    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
    
                    ClientSecrets =
                    {
                        new Secret("secret".Sha256())
                    },
    
                    RedirectUris = { "http://consultee.migrology.local:44352/signin-oidc" },
                    PostLogoutRedirectUris = { "http://consultee.migrology.local:44352/signout-callback-oidc" },
    
                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "api1"
                    },
                    AllowOfflineAccess = true,
                    AllowAccessTokensViaBrowser = true,
                }
    

    所以服务器不会允许你这样做。您需要更改您的代码以混合登录或将您的客户端更改为隐式客户端。

    改为混合

    为了将隐式登录更改为混合登录,您需要更改一些内容。

    • 配置 ClientSecret 以匹配 IdentityServer 上的密钥。
    • 添加offline_access
    • 添加范围(api1)
    • 将 ResponseType 设置为 code id_token(基本上意味着“使用混合流”)(你错过了这个)

    【讨论】:

    • 你真是牛眼啊!
    • 我正在做同样的事情,我认为你的项目使用隐式和我的混合运行很奇怪,所以我不得不用你的代码进行测试。我们都在这里学到了一些东西。
    猜你喜欢
    • 2020-08-06
    • 1970-01-01
    • 2015-09-29
    • 1970-01-01
    • 2020-07-14
    • 2020-03-27
    • 2013-08-03
    • 1970-01-01
    • 2017-02-22
    相关资源
    最近更新 更多