【发布时间】:2018-07-10 16:38:45
【问题描述】:
我将 IdentityServer 与 AccessTokenType.Reference 和一个 API 一起使用。 API 无法通过以下错误日志对请求的用户进行身份验证:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.0 POST http://dev.applicationname.com/api/query text/plain 36
info: IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler[7]
BearerIdentityServerAuthenticationIntrospection was not authenticated. Failure message: Token is not active.
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[7]
Bearer was not authenticated. Failure message: Token is not active.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes ().
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action ApplicationName.Services.QueryHandler.Controllers.QueryController.PostAsync (ApplicationName.Services.QueryHandler) in 1.0248ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 49.0536ms 401
服务
public void ConfigureServices(IServiceCollection services)
{
services
.AddMvcCore()
.AddAuthorization()
.AddJsonFormatters();
services
.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5000";
options.ApiName = "my_api_name";
options.ApiSecret = "my_api_secret";
});
}
身份服务器
启动.cspublic void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseNpgsql(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
// ...
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// ...
services.AddIdentityServer(options =>
{
options.IssuerUri = "http://localhost:5000";
options.PublicOrigin = "http://localhost:5000";
})
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>();
}
配置文件
public static IEnumerable<ApiResource> GetApiResources()
{
yield return new ApiResource
{
Name = "my_api_name",
ApiSecrets = {new Secret("my_api_secret".Sha256())},
Scopes = {new Scope {Name = $"my_api_name.full_access"}},
UserClaims =
{
JwtClaimTypes.Name,
JwtClaimTypes.Email,
"tenant_id"
}
};
}
public static IEnumerable<Client> GetClients(string baseUrl)
{
yield return new List<Client>
{
new Client
{
ClientId = "frontend",
ClientName = "AngularClient",
AccessTokenType = AccessTokenType.Reference,
AllowAccessTokensViaBrowser = true,
AllowedGrantTypes = GrantTypes.Implicit,
AllowOfflineAccess = true,
AlwaysIncludeUserClaimsInIdToken = true,
RequireConsent = false,
RequireClientSecret = false,
RedirectUris =
{
"http://localhost:4200/signin-oidc"
},
PostLogoutRedirectUris =
{
"http://localhost:4200/signout-callback-oidc"
},
AllowedCorsOrigins =
{
"http://localhost:4200"
},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"tenant_id",
"my_api_name.full_access"
}
}
};
}
在 IdentityServer 中,我收到以下错误日志:
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.IntrospectionEndpoint for /connect/introspect
[15:17:44 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.IntrospectionEndpoint for /connect/introspect
fail: IdentityServer4.Validation.TokenValidator[0]
Invalid reference token.
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "2a29182593d7eb69e9845e3d94b16f3056bc27da6cb6d6ae760733b3141dacdb"
}
[15:17:44 Error] IdentityServer4.Validation.TokenValidator
Invalid reference token.
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "2a29182593d7eb69e9845e3d94b16f3056bc27da6cb6d6ae760733b3141dacdb"
}
info: IdentityServer4.Endpoints.IntrospectionEndpoint[0]
Success token introspection. Token active: False, for API name: my_api_name
[15:17:44 Information] IdentityServer4.Endpoints.IntrospectionEndpoint
Success token introspection. Token active: False, for API name: my_api_name
我认为有错误配置但看不到。
【问题讨论】:
-
您是否尝试过使用
self-contained(JWT) 访问令牌。我记得在某处读过,隐式流程需要它。我不确定,这就是为什么我不建议将其作为答案,但值得一试。 -
在
AddIdentityServerAuthentication中要尝试的两件事 1) 添加options.RequireHttpsMetadata = false;2) 我认为需要在此处使用范围名称...例如尝试使用范围名称而不是 api 名称。 -
asp.net 身份存在一个错误,它会覆盖默认方案,因此您无法授权。试试 addidentitycore
-
如果您发现出了什么问题,请随时分享。我在类似的情况下也遇到了同样的问题...
标签: asp.net-core identityserver4