【发布时间】:2021-06-10 22:29:27
【问题描述】:
我有一个 MVC 客户端访问受 IDS4 服务器保护的 Web API。当我使用 ResponseType = "code" 时,它工作得很好。但是当我将其更改为 ResponseType = "code id_token"(混合流)时,我开始收到此“抱歉,出现错误:需要无效请求代码挑战”错误。
这是我在 IDS4 端的客户端配置:
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequirePkce = false,
//AllowedGrantTypes = GrantTypes.Code,
RedirectUris = { "https://localhost:6009/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:6009/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"roles",
"MyAPI"
}
这是 MVC 客户端的配置。请注意,导致错误发生的是'options.ResponseType = "code id_token"'。如果我使用“代码”代替它不会出错。
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:6005";
options.ClientId = "mvc";
options.ClientSecret = "secret";
//options.ResponseType = "code";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Add("profile");
options.Scope.Add("email");
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("roles");
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters.RoleClaimType = "role";
options.Scope.Add("MyAPI");
options.Scope.Add("offline_access");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
这是日志中的内容:
[2021-03-12T15:25:51.014Z] [4] [Error] Request validation failed
[2021-03-12T15:25:51.013Z] [4] [Error] code_challenge is missing
{
"ClientId": "mvc",
"RedirectUri": "https://localhost:6009/signin-oidc",
"AllowedRedirectUris": [
"https://localhost:6009/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "fragment",
"GrantType": "hybrid",
"RequestedScopes": "",
"State": "CfDJ....8oxh4",
"PromptMode": "",
"Raw": {
"client_id": "mvc",
"redirect_uri": "https://localhost:6009/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email roles MyAPIoffline_access",
"response_mode": "form_post",
"nonce": "637511...lOGNh",
"state": "CfDJ8...8oxh4",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
顺便说一下,我正在测试混合流,因为我试图让 Windows 身份验证在 IDS4 下工作。我的本地登录有效,但 Windows 无效。一些资源说为此需要混合流。有人可以告诉我我在这里做错了什么吗?
【问题讨论】:
标签: identityserver4 windows-authentication