我尝试使用Identity Server 4实现授权代码流,但当我尝试生成授权代码时,我得到的只是一个一般错误页面,除了消息“对不起,出现错误”(标题为“错误”)之外什么都没有。
无论是使用Postman还是以编程方式提交带有所需参数的GET请求,我都会得到这个结果。
为了运行我的测试,我在Visual Studio中启动了标识服务器和API服务器。我启动了MVC站点,以便在需要时以测试用户身份登录,并使回调URL可用。然后我在Postman中按下了“获取新的访问令牌”按钮。结果是出现了该一般性错误。
我知道,当我以编程方式提交GET请求时,响应应该是Auth Code,这是理想的,但此时我只想成功地验证客户端。
有人能看到我遗漏的东西吗?
在Postman中,我的参数如下所示:
我的客户端设置如下:
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code ,
// where to redirect to after login
RedirectUris = { "https://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1",
IdentityServerConstants.StandardScopes.Email
}
}我的测试用户是Identity Server Github代码附带的用户:
new TestUser
{
SubjectId = "88421113",
Username = "bob",
Password = "bob",
Claims =
{
new Claim(JwtClaimTypes.Name, "Bob Smith"),
new Claim(JwtClaimTypes.GivenName, "Bob"),
new Claim(JwtClaimTypes.FamilyName, "Smith"),
new Claim(JwtClaimTypes.Email, "BobSmith@email.com"),
new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
new Claim(JwtClaimTypes.WebSite, "http://bob.com"),
new Claim(JwtClaimTypes.Address, JsonSerializer.Serialize(address), IdentityServerConstants.ClaimValueTypes.Json)
}
}我的Identity Server启动:
public class Startup
{
public IWebHostEnvironment Environment { get; }
public Startup(IWebHostEnvironment environment)
{
Environment = environment;
}
public void ConfigureServices(IServiceCollection services)
{
// uncomment, if you want to add an MVC-based UI
services.AddControllersWithViews();
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.ClientId = "<insert here>";
options.ClientSecret = "<insert here>";
});
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication (options =>
{
options.Authority = "https://localhost:5001";
options.ApiName = "testapis";
});
var builder = services.AddIdentityServer(options =>
{
// see https://identityserver4.readthedocs.io/en/latest/topics/resources.html
options.EmitStaticAudienceClaim = true;
})
.AddDeveloperSigningCredential() //This is for dev only scenarios when you don’t have a certificate to use.
.AddInMemoryIdentityResources(Config.IdentityResources)
.AddInMemoryApiScopes(Config.ApiScopes)
.AddInMemoryClients(Config.Clients)
.AddTestUsers(TestUsers.Users)
.AddCustomTokenRequestValidator<CustomTokenRequestValidator>();
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
//// uncomment if you want to add MVC
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthentication();
//// uncomment, if you want to add MVC
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
2条答案
按热度按时间drkbr07n1#
一个问题是,您应该总是要求openid作用域,而不仅仅是ap1。
bkhjykvo2#
我终于可以得到我的访问令牌了,而且我可以告诉你,当目标客户端上的AllowedGrantType是'ClientCredentials'时,你不能请求openid或profile作用域。对于我的测试客户端,我已经将这两个作用域添加到AllowedScopes列表中,但总是无法得到我的授权代码。如果我只请求ApiScope,它就可以了。如果作用域是IdentityResource,它就不能工作。
这很好,因为我的项目要求我实现Code grantType,我已经在一定程度上实现了它。