IdentityServer4 以及 Asp.Net 4.5 MVC 客户端答案

【问题标题】：IdentityServer4 along with Asp.Net 4.5 MVC ClientIdentityServer4 以及 Asp.Net 4.5 MVC 客户端
【发布时间】：2017-04-03 00:05:34
【问题描述】：

我正在尝试使用 MVC 框架对使用旧 Asp.Net（不是核心版本）构建的现有 MVC 应用程序进行身份验证。

通过遵循 IdentityServer4 和 IdentityServer3 示例，我设法使用 EntityFramework 将我的用户信息存储在 LocalDB 中，当我尝试访问客户端应用程序中的受限页面时，我被重定向到由提供的登录页面身份服务器4。但是，成功登录后（根据我在日志上看到的内容）它不会重定向到相应的页面。地址栏保留http://localhost:5000/.... 之类的内容，然后是大量参数和散列值。端口 5000 是我运行身份服务器的地方，我的应用程序托管在端口 44300 上，但我无法回到那里。

以前是否有人遇到过这种问题，或者有人可以指出一个由 IdentityServer4 和非核心版本的 Asp.Net 组成的示例。

编辑 1：实施细节

服务器： IdentityServer4 实现几乎是 IdentityServer4 Quickstarts 6-AspNetIdentity 的克隆。

配置文件：

public class Config
{
    public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Profile(),
        };
    }

    // clients want to access resources (aka scopes)
    public static IEnumerable<Client> GetClients()
    {
        // client credentials client
        return new List<Client>
        {
            new Client
            {
                ClientId = "webapp",
                ClientName = "Client WebApp",
                AllowedGrantTypes = GrantTypes.Hybrid,
                RedirectUris = { "http://localhost:44300/signin-oidc" },
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile
                },
                AllowOfflineAccess = true
            }
        };
    }
}

客户端：我使用的客户端实现是一个虚拟的，它源自 IdentityServer3 客户端示例“MVC OWIN 客户端（混合）”。

Startup.cs：

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationType = "oidc",
            SignInAsAuthenticationType = "Cookies",
            ClientSecret = "secret",

            Authority = "http://localhost:5000", //ID Server
            RedirectUri = "http://localhost:44300/signin-oidc",
            ClientId = "webapp",

            ResponseType = "id_token code",
            Scope = "openid profile",
        });
    }
}

日志输出：点击安全页面后的日志输出 -> IS 登录页面 -> 点击登录。

...
...
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[3]
      HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Identity.Application.
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[8]
      AuthenticationScheme: Identity.Application was successfully authenticated.
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Request path /connect/authorize/login matched to endpoint type Authorize
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Mapping found for endpoint: Authorize, creating handler: IdentityServer4.Endpoints.AuthorizeEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize/login
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      Start authorize request (after login)
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[8]
      AuthenticationScheme: Identity.Application was successfully authenticated.
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      User in authorize request: df21b123-d4b6-40ef-beed-e918bdfd56e9
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
      Start authorize request protocol validation
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[8]
      AuthenticationScheme: Identity.Application was successfully authenticated.
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
      Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
      ValidatedAuthorizeRequest
      {
        "ClientId": "webapp",
        "ClientName": "Client WebApp",
        "RedirectUri": "http://localhost:44300/signin-oidc",
        "AllowedRedirectUris": [
          "http://localhost:44300/signin-oidc"
        ],
        "SubjectId": "df21b123-d4b6-40ef-beed-e918bdfd56e9",
        "ResponseType": "code id_token",
        "ResponseMode": "form_post",
        "GrantType": "hybrid",
        "RequestedScopes": "openid profile",
        "State": "OpenIdConnect.AuthenticationProperties=m1ybV84KFOLgklhcmtb8iR6VFuDBxWSzJKpTy83w7RF3zRTwd9zHBbdSyiAHbuea2D6FM1MjCJvMbql9qjcTntyu95POoCAWGwDML0nkiaYnKPKtJxgZ7FagyvYvz87C6pYlJWmL2zbrTFkYh7IPmX-Qv9rPOfyp4uwhhbZZ731vfL1mSxuhh_p1dPVNFJJav4E8bZXyadg94EXJbqb3ecc_jQHWn1F_eiJsoVMSRdk",
        "Nonce": "636268234716844341.OTFhNGE1ZTEtNTMyYy00Y2MyLWFjOGMtMDE1NjBmNDY3ZGM1NWFmNzIxMjItYTgzZC00NjJhLTk4YWMtNDExOTA0N2I4MjNl",
        "SessionId": "61d148313b2a7485dd27e3110ea61fff",
        "Raw": {
          "client_id": "webapp",
          "redirect_uri": "http://localhost:44300/signin-oidc",
          "response_mode": "form_post",
          "response_type": "id_token code",
          "scope": "openid profile",
          "state": "OpenIdConnect.AuthenticationProperties=m1ybV84KFOLgklhcmtb8iR6VFuDBxWSzJKpTy83w7RF3zRTwd9zHBbdSyiAHbuea2D6FM1MjCJvMbql9qjcTntyu95POoCAWGwDML0nkiaYnKPKtJxgZ7FagyvYvz87C6pYlJWmL2zbrTFkYh7IPmX-Qv9rPOfyp4uwhhbZZ731vfL1mSxuhh_p1dPVNFJJav4E8bZXyadg94EXJbqb3ecc_jQHWn1F_eiJsoVMSRdk",
          "nonce": "636268234716844341.OTFhNGE1ZTEtNTMyYy00Y2MyLWFjOGMtMDE1NjBmNDY3ZGM1NWFmNzIxMjItYTgzZC00NjJhLTk4YWMtNDExOTA0N2I4MjNl",
          "x-client-SKU": "ID_NET",
          "x-client-ver": "1.0.40306.1554"
        }
      }
info: Microsoft.EntityFrameworkCore.Storage.IRelationalCommandBuilderFactory[1]
      Executed DbCommand (0ms) [Parameters=[@__get_Item_0='?' (Size = 450)], CommandType='Text', CommandTimeout='30']
      SELECT TOP(1) [e].[Id], [e].[AccessFailedCount], [e].[ConcurrencyStamp], [e].[DefaultDatabaseName], [e].[DefaultDatabaseServer], [e].[Email], [e].[EmailConfirmed], [e].[HierarchyIds], [e].[LockoutEnabled], [e].[LockoutEnd], [e].[NormalizedEmail], [e].[NormalizedUserName], [e].[PasswordHash], [e].[PhoneNumber], [e].[PhoneNumberConfirmed], [e].[SecurityStamp], [e].[TwoFactorEnabled], [e].[UserName]
      FROM [AspNetUsers] AS [e]
      WHERE [e].[Id] = @__get_Item_0
info: IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator[0]
      Showing consent: User has not yet consented
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 138.8585ms 302
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://localhost:5000/consent?returnUrl=%2Fconnect%2Fauthorize%2Fconsent%3Fclient_id%3Dwebapp%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A44300%252Fsignin-oidc%26response_mode%3Dform_post%26response_type%3Did_token%2520code%26scope%3Dopenid%2520profile%26state%3DOpenIdConnect.AuthenticationProperties%253Dm1ybV84KFOLgklhcmtb8iR6VFuDBxWSzJKpTy83w7RF3zRTwd9zHBbdSyiAHbuea2D6FM1MjCJvMbql9qjcTntyu95POoCAWGwDML0nkiaYnKPKtJxgZ7FagyvYvz87C6pYlJWmL2zbrTFkYh7IPmX-Qv9rPOfyp4uwhhbZZ731vfL1mSxuhh_p1dPVNFJJav4E8bZXyadg94EXJbqb3ecc_jQHWn1F_eiJsoVMSRdk%26nonce%3D636268234716844341.OTFhNGE1ZTEtNTMyYy00Y2MyLWFjOGMtMDE1NjBmNDY3ZGM1NWFmNzIxMjItYTgzZC00NjJhLTk4YWMtNDExOTA0N2I4MjNl%26x-client-SKU%3DID_NET%26x-client-ver%3D1.0.40306.1554
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[3]
      HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Identity.Application.
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware[8]
      AuthenticationScheme: Identity.Application was successfully authenticated.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 32.5652ms 404

【问题讨论】：

您能否提供更多详细信息，例如您正在使用的流/授权类型并显示您的客户端定义。
我已经编辑了我的帖子以提供相关的设置代码。

标签： asp.net asp.net-mvc asp.net-mvc-4 identityserver4

【解决方案1】：

与运行旧版本 .NET 的应用程序无关。
In this video，IdentityServer 的作者之一演示了他如何能够将 WinForm 应用程序与 IDS4 连接。

与 IDS4 的通信是通过 HTTP 请求进行的，您的客户端可以是任何东西，只要它能够处理与 IDS4 的通信即可。
建议你打开fiddler，监听请求，查看传递的参数。
您还可以使用 quickstarts 之一作为 IDS 的基础，或将其与您的设置进行比较以检查问题所在。

【讨论】：

正如你所说，我的理解是客户并不重要，但我还无法让它发挥作用。我已经按照 IdentityServer4 和 IdentityServer3 示例来实现测试服务器和客户端。

【解决方案2】：

从您的日志中，这表明您的用户尚未同意所请求的范围，因此正尝试导航到用户可以同意的身份服务器上的页面。

`Request starting HTTP/1.1 GET http://localhost:5000/consent?returnUrl=%2Fconnect%2Fauthorize%2Fconsent%3Fclient_id%3Dwebapp%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A44300%252Fsignin-oidc%26response_mode%3Dform_post%26response_type%3Did_token%2520code%26scope%3Dopenid%2520profile%26state%3DOpenIdConnect.AuthenticationProperties%253Dm1ybV84KFOLgklhcmtb8iR6VFuDBxWSzJKpTy83w7RF3zRTwd9zHBbdSyiAHbuea2D6FM1MjCJvMbql9qjcTntyu95POoCAWGwDML0nkiaYnKPKtJxgZ7FagyvYvz87C6pYlJWmL2zbrTFkYh7IPmX-Qv9rPOfyp4uwhhbZZ731vfL1mSxuhh_p1dPVNFJJav4E8bZXyadg94EXJbqb3ecc_jQHWn1F_eiJsoVMSRdk%26nonce%3D636268234716844341.OTFhNGE1ZTEtNTMyYy00Y2MyLWFjOGMtMDE1NjBmNDY3ZGM1NWFmNzIxMjItYTgzZC00NjJhLTk4YWMtNDExOTA0N2I4MjNl%26x-client-SKU%3DID_NET%26x-client-ver%3D1.0.40306.1554`

此步骤发生在重定向回您的呼叫网站之前，所以我猜您尚未在 IdSvr 上实现此页面，

【讨论】：

我检查了我遵循的示例，了解如何创建这些页面。我会继续寻找它，但我注意到了这个信息：Url：docs.identityserver.io/en/release/quickstarts/… 它说在客户端配置中使用 RequireConsent = false，我试过了，但结果是一样的。