swagger 身份服务器随机“invalid_grant”

krcsximq  于 2022-11-06  发布在  其他
关注(0)|答案(1)|浏览(244)

您好,我遇到了IdentityServer 4问题。当我们首次使用Swagger向IDP发起呼叫时,我可以获得令牌

  1. [12:36:21 DBG] Getting claims for identity token for subject: 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3 and client: Idp.UserIdentitySwagger
  2. [12:36:21 DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
  3. [12:36:21 VRB] Creating JWT identity token
  4. [12:36:21 INF] {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "RedirectUri": null, "Endpoint": "Token", "SubjectId": "3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3", "Scopes": "openid profile email", "GrantType": "authorization_code", "Tokens": [{"TokenType": "id_token", "TokenValue": "****dlrQ", "$type": "Token"}, {"TokenType": "access_token", "TokenValue": "****g_rw", "$type": "Token"}], "Category": "Token", "Name": "Token Issued Success", "EventType": "Success", "Id": 2000, "Message": null, "ActivityId": "0HMJ7TTLK79RA:0000000E", "TimeStamp": "2022-07-17T12:36:21.0000000Z", "ProcessId": 1, "LocalIpAddress": "10.244.1.16:443", "RemoteIpAddress": "10.244.0.9", "$type": "TokenIssuedSuccessEvent"}
  5. [12:36:21 VRB] Identity token issued for Idp.UserIdentitySwagger (Idp.UserIdentity Swagger) / 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3: eyJhbGciOiJSUzI1NiIsImtpZCI6IjIzNTJFMjcwQkFDQjUwMDAwNjM1NkY3RjIwRDM0MEIwQjk3NDRCRThSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IkkxTGljTHJMVUFBR05XOV9JTk5Bc0xsMFMtZyJ9.eyJuYmYiOjE2NTgwNjEzODEsImV4cCI6MTY1ODA2NDk4MSwiaXNzIjoiaHR0cHM6Ly9pZHAub3Vpb3VpZGlzY291bnQuY29tIiwiYXVkIjoiSWRwLlVzZXJJZGVudGl0eVN3YWdnZXIiLCJpYXQiOjE2NTgwNjEzODEsImF0X2hhc2giOiJFWWRZYWtpb0ZFUTN6Z19qeHZ1Umd3Iiwic19oYXNoIjoiMUxYeTNQMXpaOTZiU2lDWjBrRmNBZyIsInNpZCI6IjYzREQ4OEQ5QTQ0NEEyRDQzRDU1QUNBMjYyQTM1MTc3Iiwic3ViIjoiMzY4MGQ1YWEtNGIzNS00ZTM5LWExY2UtY2ZiYzY5NjFmNGMzIiwiYXV0aF90aW1lIjoxNjU4MDYxMzczLCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.kyOSEob49JTd10Wmz3YMgg48MB-RRWmSJ6JB2dZeu-0r8WPOK69XXlq74bGAoyV6DwytsyTOmwb7h5Wnu5zcgbHFJ_ycGAi5PwOiO1clyDIpYW5ql__SZ2JH31ppuRg616eDaX0M2p9PFfW4MBSM1d4p69aWrbqAmuj8g833VjtZOFkZcgS6OZotqbM_zxOGLhfkzwJQtDjHdh1_imJp80fa4uv_0KOpWc62hclOXcBS8oKvgQYyeeS8AIXGrIBoNII8ZQ8yK-BrqOAjm4f1PVyyhQa8P19gXWoASQL6EHb-zCUo5VUXAu7bukBb4JNNzk8jUTCWvSUo9z4_rDdlrQ
  6. [12:36:21 VRB] Access token issued for Idp.UserIdentitySwagger (Idp.UserIdentity Swagger) / 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3: eyJhbGciOiJSUzI1NiIsImtpZCI6IjIzNTJFMjcwQkFDQjUwMDAwNjM1NkY3RjIwRDM0MEIwQjk3NDRCRThSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IkkxTGljTHJMVUFBR05XOV9JTk5Bc0xsMFMtZyJ9.eyJuYmYiOjE2NTgwNjEzODEsImV4cCI6MTY1ODA2NDk4MSwiaXNzIjoiaHR0cHM6Ly9pZHAub3Vpb3VpZGlzY291bnQuY29tIiwiY2xpZW50X2lkIjoiSWRwLlVzZXJJZGVudGl0eVN3YWdnZXIiLCJzdWIiOiIzNjgwZDVhYS00YjM1LTRlMzktYTFjZS1jZmJjNjk2MWY0YzMiLCJhdXRoX3RpbWUiOjE2NTgwNjEzNzMsImlkcCI6ImxvY2FsIiwic2lkIjoiNjNERDg4RDlBNDQ0QTJENDNENTVBQ0EyNjJBMzUxNzciLCJpYXQiOjE2NTgwNjEzODEsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCJdLCJhbXIiOlsicHdkIl19.BXtDlQKqw8rGmgnLjJuWJicF2BIHPzpp48NC-aP9cpzy7dqYY2a8kI1x07vTnhX2rcEjdfqhfMIfyJuqZJBhXVtfI7R60QyfuAj3Ozpa4KGE2Y28d9Xntizf4ctwUXFLZVboH8MrXflcIiDL8s5h_c6P6W2NafYK_1m7xpU68Qq0NsxqXsaG2SZT_nph-bl_hEvfR_AfXbkDI12Z606hSqAhjP5v_TQfc6_0zveCVTiFRUMCzTzndtRSVtNrP3WPGXalOTtOaeOIUFssDvqNYeF6nch245vjw5NQQu3zUgETOSJfeO_d0c7VCeEvp_s_yCEFCVOIl2_xvWd3Hig_rw

我断开连接并尝试再次登录,但出现“invalid_grant”。我清除该高速缓存并再次尝试,但仍无效。在多次尝试后,我可以登录。我认为这是随机错误。我无法找出此错误背后的原因。以下是错误消息以及IDP配置和客户端配置。希望它能有所帮助。

  1. [12:42:06 DBG] A data reader was disposed.
  2. [12:42:06 DBG] Closing connection to database 'IdpDb' on server 'tcp://XXXXXXXXXXX:5432'.
  3. [12:42:06 DBG] Closed connection to database 'IdpDb' on server ''.
  4. [12:42:06 DBG] tJc155MKnmvPDXowrLH4laE8GBDyxFtEveiaB/ONE4w= found in database: False
  5. [12:42:06 DBG] authorization_code grant with value: E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348 not found in store.
  6. [12:42:06 ERR] Invalid authorization code{"code": "E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348"}, details: {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "GrantType": "authorization_code", "Scopes": null, "AuthorizationCode": "****7348", "RefreshToken": "********", "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "authorization_code", "code": "E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348", "client_id": "Idp.UserIdentitySwagger", "client_secret": "***REDACTED***", "redirect_uri": "https://identity.*******.com/swagger/oauth2-redirect.html", "code_verifier": "eMCIRwHDzhTf1YrRr651Uaqi_COopBhc7ZfOGyjRiAc"}, "$type": "TokenRequestValidationLog"}
  7. [12:42:06 INF] {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "RedirectUri": null, "Endpoint": "Token", "SubjectId": null, "Scopes": null, "GrantType": "authorization_code", "Error": "invalid_grant", "ErrorDescription": null, "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HMJ7TTLK79RH:00000008", "TimeStamp": "2022-07-17T12:42:06.0000000Z", "ProcessId": 1, "LocalIpAddress": "10.244.1.16:443", "RemoteIpAddress": "10.244.0.9", "$type": "TokenIssuedFailureEvent"}
  8. [12:42:06 VRB] Invoking result: IdentityServer4.Endpoints.Results.TokenErrorResult

Idp配置

  1. services.AddIdentityServer(options =>
  2.         {
  3.             options.Events.RaiseErrorEvents = true;
  4.             options.Events.RaiseInformationEvents = true;
  5.             options.Events.RaiseFailureEvents = true;
  6.             options.Events.RaiseSuccessEvents = true;
  7.         })
  8.         .AddConfigurationStore(options =>
  9.         {
  10.             options.ConfigureDbContext = (t) =>
  11.             {
  12.                 t.UseNpgsql(configuration.GetConnectionString("IdpDb"),
  13.                     b => b.MigrationsAssembly(migrationsAssembly));
  14.                 t.EnableSensitiveDataLogging();
  15.             };
  16.         })
  17.         .AddOperationalStore(options =>
  18.         {
  19.             options.ConfigureDbContext = (t) =>
  20.             {
  21.                 t.UseNpgsql(configuration.GetConnectionString("IdpDb"),
  22.                     b => b.MigrationsAssembly(migrationsAssembly));
  23.                 t.EnableSensitiveDataLogging();
  24.             };
  25.         })
  26.         .AddProfileService<BrandeeUserProfileService>()
  27.         .AddSigningCredential(LoadCertificate(configuration));

数据保护代码:

  1. services.AddDataProtection()
  2.         .SetApplicationName("TAASe")
  3.         .UseCryptographicAlgorithms(
  4.             new AuthenticatedEncryptorConfiguration()
  5.             {
  6.                 EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
  7.                 ValidationAlgorithm = ValidationAlgorithm.HMACSHA256,
  8.             }
  9.         )
  10.         .ProtectKeysWithCertificate(new X509Certificate2(configuration["Certificate:Path"],
  11.             configuration["Certificate:Password"]))
  12.         .PersistKeysToDbContext<AppDataProtectionDbContext>()
  13.         .SetDefaultKeyLifetime(TimeSpan.FromDays(14));

客户端定义:

  1. {
  2.   "clientId": "Idp.UserIdentity Swagger",
  3.   "clientName": "Idp.UserIdentity Swagger",
  4.   "requireConsent": true,
  5.   "accessTokenLifetime": 3600,
  6.   "identityTokenLifetime": 3600,
  7.   "allowOfflineAccess": true,
  8.   "alwaysSendClientClaims": true,
  9.   "secrets": [
  10.     "secret"
  11.   ],
  12.   "scopes": [
  13.     "openid","profile","email"
  14.   ],
  15.   "allowedGrantType": [
  16.     "authorization_code"
  17.   ],
  18.   "redirectUris": [
  19.     "https://identity.XXXXXXXXXX.com/swagger/oauth2-redirect.html"
  20.   ],
  21.   "corsOrigins": [
  22.     "https://identity.XXXXXXX.com"
  23.   ],
  24.   "postLogoutRedirectUri": []
  25. }

在斯瓦格

  1. services.AddSwaggerGen(options =>
  2.         {
  3.             var oauthSecuritySchema = new OpenApiSecurityScheme()
  4.             {
  5.                 Type = SecuritySchemeType.OAuth2,
  6.                 Flows = new OpenApiOAuthFlows()
  7.                 {
  8.                     AuthorizationCode = new OpenApiOAuthFlow()
  9.                     {
  10.                         AuthorizationUrl = new Uri(configuration["Idp:AuthorizationUrl"]),
  11.                         Scopes = new Dictionary<string, string>()
  12.                         {
  13.                             // {"Idp.UserManagement","Identity"},
  14.                             {"openid","openid"},
  15.                             {"profile","profile"},
  16.                             {"email","email"}
  17.                         },
  18.                         TokenUrl = new Uri(configuration["Idp:TokenUrl"]),
  19.                     }
  20.                 },
  21.                 Name = configuration["Swagger:Name"],
  22.             };
  23.             options.SwaggerDoc("v1", new OpenApiInfo {Title = "Protected API", Version = "v1"});
  24.             options.AddSecurityDefinition("oauth2", oauthSecuritySchema);
  25.             options.OperationFilter<AuthorizeCheckOperationFilter>();
  26.             options.EnableAnnotations();
  27.         });
swagger

1条答案

按热度按时间
lymgl2op

lymgl2op1#

当用户登录时,Idp将代码保存在PersistedGrants表中,其键由(code + ":" + "authorization_code").Sha256()组成。对于您的代码E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348,键为tJc155MKnmvPDXowrLH4laE8GBDyxFtEveiaB/ONE4w=。根据日志,这是正确的。然后,Idp将此代码返回给调用方。
Idp尝试通过再次形成密钥、从数据库中检索密钥并检查传递的代码是否与先前存储的匹配来恢复该记录。
操作存储中的持久性似乎未正常工作。此记录未保存在第一部分中,或者用于在第二部分中获取该记录的查询未正常工作。无论是什么原因,服务都将返回一般invalid_grant错误消息。
检查记录是否保存在PersistedGrants表中。您可以使用我的Fiddle来形成密钥并使用其他代码进行测试。
如果在调用SaveAsync时出现任何EF异常,请检查以前的日志。

赞(0)分享  回复(0)举报  2022-11-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com