使用 IdentityServer4 时出现“需要代码挑战”

Question

我正在尝试重定向到 IdentityServer 进行授权，并在重定向 URL 中获得“需要代码质询”。

错误消息显示 invalid_request 需要代码质询，以及我的重定向 URL http://localhost:44367/signin-oidc#error=invalid_request&error_description=code%20challenge%20required&state=CfDJ8Cq6lLUEMhZLqMhFVN

这是我的客户端配置：

namespace TestClient
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddControllersWithViews();

            ConfigureIdentityServer(services);
            services.AddCors();
        }

        private void ConfigureIdentityServer(IServiceCollection services)
        {
            var builder = services.AddAuthentication(options => SetAuthenticationOptions(options));
            services.AddMvcCore()
                .AddAuthorization();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);

            builder.AddCookie();
            builder.AddOpenIdConnect(options => SetOpenIdConnectOptions(options));
        }

        private void SetAuthenticationOptions(AuthenticationOptions options)
        {
            options.DefaultScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.AuthenticationScheme;
        }

        private void SetOpenIdConnectOptions(OpenIdConnectOptions options)
        {
            options.Authority = "https://localhost:44346";
            options.ClientId = "TestIdentityServer";
            options.RequireHttpsMetadata = false;
            options.Scope.Add("profile");
            options.Scope.Add("openid");
            options.Scope.Add("TestIdentityServer");
            options.ResponseType = "code id_token";
            options.SaveTokens = true;
            options.ClientSecret = "0b4168e4-2832-48ea-8fc8-7e4686b3620b";
        }


        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

            }
            app.UseHsts();
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseCors(builder => builder
                .AllowAnyOrigin()
                .AllowAnyHeader()
                .AllowAnyMethod()
            );

            app.UseCookiePolicy();
            app.UseRouting();

            app.UseAuthentication();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

这是我的 IdentityService4 配置

  public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;

        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            IdentityModelEventSource.ShowPII = true;
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
                .AddEntityFrameworkStores<ApplicationDbContext>();
            services.AddControllersWithViews();
            services.AddRazorPages();

            services.AddMvc().SetCompatibilityVersion(Microsoft.AspNetCore.Mvc.CompatibilityVersion.Version_3_0);
            services.Configure<IISOptions>(iis =>
            {
                iis.AuthenticationDisplayName = "Windows";
                iis.AutomaticAuthentication = false;
            });

            var builder = services.AddIdentityServer(options =>
            {
                options.Events.RaiseErrorEvents = true;
                options.Events.RaiseInformationEvents = true;
                options.Events.RaiseFailureEvents = true;
                options.Events.RaiseSuccessEvents = true;
            });
            // this adds the config data from DB (clients, resources)

            builder.AddInMemoryIdentityResources(Configuration.GetSection("IdentityResources"));
            builder.AddInMemoryApiResources(Configuration.GetSection("ApiResources"));
            builder.AddInMemoryClients(Configuration.GetSection("clients"));

            services.AddAuthentication();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

            }
            app.UseHsts();
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();
            app.UseIdentityServer();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }
    }

和 appsettings.json

"IdentityResources": [
    {
      "Name": "openid",
      "DisplayName": "Your user identifier",
      "Required": true,
      "UserClaims": [
        "sub"
      ]
    },
    {
      "Name": "profile",
      "DisplayName": "User profile",
      "Description": "Your user profile information (first name, last name, etc.)",
      "Emphasize": true,
      "UserClaims": [
        "name",
        "family_name",
        "given_name",
        "middle_name",
        "preferred_username",
        "profile",
        "picture",
        "website",
        "gender",
        "birthdate",
        "zoneinfo",
        "locale",
        "updated_at"
      ]
    }
  ],

  "ApiResources": [
    {
      "Name": "TestIdentityServer",
      "DisplayName": "TestIdentityServer API Services",
      "Scopes": [
        {
          "Name": "TestIdentityServer",
          "DisplayName": "TestIdentityServer API Services"
        }
      ]
    }
  ],

  "Clients": [
    {
      "ClientId": "TestIdentityServer",
      "ClientName": "TestIdentityServer Credentials Client",

      // 511536EF-F270-4058-80CA-1C89C192F69A
      "ClientSecrets": [ { "Value": "entAuCGhsOQWRYBVx26BCgZxeMt/TqeVZzzpNJ9Ub1M=" } ],
      "AllowedGrantTypes": [ "hybrid" ],
      "AllowedScopes": [ "openid", "profile", "TestIdentityServer" ],
      "RedirectUris": [ "http://localhost:44367/signin-oidc" ],
      //"FrontChannelLogoutUris": [ "http://localhost:44367/Home/Privacy" ],
      //"PostLogoutRedirectUris": [ "http://localhost:44367/Home/Privacy" ],
      "redirect_uri": "http://localhost:44367/signin-oidc"
    }

Answer 1

我很确定您使用的是4.0 或更高版本。让我知道我是否正确？

在4.0 及更高版本中，默认使用code flow + PKCE，因为根据文档，这比Hybrid flow 更安全。

这是链接 https://identityserver4.readthedocs.io/en/latest/topics/grant_types.html 和 github 上相关问题的链接 https://github.com/IdentityServer/IdentityServer4/issues/3728，将其描述为重大更改。

当我在我的一个项目中将 IdentityServer4 包升级到最新版本时，我也为此苦苦挣扎了大约 2 个小时。

如果您想在客户端配置中使用Hybrid flow，请将RequirePkce 设置为false。

"Clients": {
   /* Code removed for brevity */
      RequirePkce : "false"
    }

Answer 2

今天遇到了这个错误并通过切换解决了它：

options.ResponseType = "code id_token";

到

options.ResponseType = "code";
options.UsePkce = true;

这是我完整的客户端选项：

options.Authority = "http://localhost:8000";
options.RequireHttpsMetadata = false; // dev only

options.ClientId = "testAPI";
options.ClientSecret = secret;

// code flow + PKCE (PKCE is turned on by default)
options.ResponseType = "code";
options.UsePkce = true;

options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("offline_access");
options.Scope.Add("testAPI");

options.ClaimActions.MapJsonKey("website", "website");

//options.ResponseMode = "form_post";
//options.CallbackPath = "/signin-oidc";

// keeps id_token smaller
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;

另外，由于我在 docker 上使用 IdentityServer 并在主机上测试客户端，我必须配置一个额外的重定向 Uri 才能进行测试：

RedirectUris =
{
    "http://localhost:5001/signin-oidc",
    "http://host.docker.internal:5001/signin-oidc",
    "http://notused"
},

我的实现基于 Dominic Baier 在GitHub 上的样本。

编辑：我现在明白，对于我的情况，响应类型只能是“代码”，因为我的客户端配置是授权代码 + PKCE（一个 OAuth2 流）。 您已配置支持“code id_token”的“混合”（OIDC 流程），因此尽管我们收到了相同的错误消息，但问题有所不同。

Answer 3

试试这个：https://github.com/IdentityServer/IdentityServer4/issues/4238

在配置中将您的 RequirePkce 设置为 false。

Answer 4

运行您的应用程序，一旦它被重定向到浏览器页面删除所有 cookie 站点设置 -> 在使用情况下 -> Cookies -> 清除与该 URL 相关的数据（https://localhost: 5002) 在重定向到登录页面之前。然后重新启动应用程序。这解决了代码挑战问题

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
         .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
         .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
         {
             options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.Authority = "https://localhost:5005";
             options.ClientId = "movies_mvc_client";
             options.ClientSecret = "secret";
             options.ResponseType = "code";

             options.SaveTokens = true;
            // options.RequireHttpsMetadata = false;
             options.GetClaimsFromUserInfoEndpoint = true;
             options.Scope.Add("openid");
             options.Scope.Add("profile");
         });

Config.cs - 身份服务器

                new Client
            {
             ClientId = "movies_mvc_client",
            ClientSecrets = { new Secret("secret".Sha256()) },
                
            AllowedGrantTypes = GrantTypes.Code,

             RedirectUris = { "https://localhost:5002/signin-oidc" },
            //    FrontChannelLogoutUri = "https://localhost:44300/signout-oidc",
             PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },

             AllowOfflineAccess = true,
             AllowedScopes = { "openid", "profile","movies_mvc_client"}
            }