oauth2.0 openiddictasp.net核心：在docker中运行时发生身份验证错误，在没有docker的情况下运行时运行完美

错误：在reosurce服务器上成功提取了http：//identserver：5999/connect/introspect返回的内省响应：{“active”：false}. OpenIddict.Validation.AspNetCore未通过身份验证。失败消息：验证当前请求时出错。
资源服务器错误

openiddict服务器日志

2023-03-23 12:55:01 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:01       The request URI matched a server endpoint: Introspection.
2023-03-23 12:55:01 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:01       The introspection request was successfully extracted: {
2023-03-23 12:55:01         "client_id": "catalog_server",
2023-03-23 12:55:01         "client_secret": "[redacted]",
2023-03-23 12:55:01         "token": "[redacted]",
2023-03-23 12:55:01         "token_type_hint": "access_token"
2023-03-23 12:55:01       }.
2023-03-23 12:55:01 info: Microsoft.EntityFrameworkCore.Database.Command[20101]
2023-03-23 12:55:01       Executed DbCommand (1ms) [Parameters=[@__identifier_0='?'], CommandType='Text', CommandTimeout='30']
2023-03-23 12:55:01       SELECT o.id, o.client_id, o.client_secret, o.concurrency_token, o.consent_type, o.display_name, o.display_names, o.permissions, o.post_logout_redirect_uris, o.properties, o.redirect_uris, o.requirements, o.type
2023-03-23 12:55:01       FROM public.openiddictentityframeworkcoreapplication AS o
2023-03-23 12:55:01       WHERE o.client_id = @__identifier_0
2023-03-23 12:55:01       LIMIT 1
2023-03-23 12:55:01 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:01       The response was successfully returned as a JSON document: {
2023-03-23 12:55:01         "active": false
2023-03-23 12:55:01       }.
2023-03-23 12:55:14 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:14       The request URI matched a server endpoint: Introspection.
2023-03-23 12:55:14 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:14       The introspection request was successfully extracted: {
2023-03-23 12:55:14         "client_id": "catalog_server",
2023-03-23 12:55:14         "client_secret": "[redacted]",
2023-03-23 12:55:14         "token": "[redacted]",
2023-03-23 12:55:14         "token_type_hint": "access_token"
2023-03-23 12:55:14       }.
2023-03-23 12:55:14 info: Microsoft.EntityFrameworkCore.Database.Command[20101]
2023-03-23 12:55:14       Executed DbCommand (1ms) [Parameters=[@__identifier_0='?'], CommandType='Text', CommandTimeout='30']
2023-03-23 12:55:14       SELECT o.id, o.client_id, o.client_secret, o.concurrency_token, o.consent_type, o.display_name, o.display_names, o.permissions, o.post_logout_redirect_uris, o.properties, o.redirect_uris, o.requirements, o.type
2023-03-23 12:55:14       FROM public.openiddictentityframeworkcoreapplication AS o
2023-03-23 12:55:14       WHERE o.client_id = @__identifier_0
2023-03-23 12:55:14       LIMIT 1
2023-03-23 12:55:14 info: OpenIddict.Server.OpenIddictServerDispatcher[0]
2023-03-23 12:55:14       The response was successfully returned as a JSON document: {
2023-03-23 12:55:14         "active": false
2023-03-23 12:55:14       }.
2023-03-23 13:01:32 info: Microsoft.EntityFrameworkCore.Database.Command[20101]
2023-03-23 13:01:32       Executed DbCommand (2ms) [Parameters=[@__date_0='?' (DbType = DateTime), @__p_1='?' (DbType = Int32)], CommandType='Text', CommandTimeout='30']
2023-03-23 13:01:32       SELECT o.id, o.application_id, o.authorization_id, o.concurrency_token, o.creation_date, o.expiration_date, o.payload, o.properties, o.redemption_date, o.reference_id, o.status, o.subject, o.type
2023-03-23 13:01:32       FROM public.openiddictentityframeworkcoretoken AS o
2023-03-23 13:01:32       LEFT JOIN public.openiddictentityframeworkcoreauthorization AS o0 ON o.authorization_id = o0.id
2023-03-23 13:01:32       WHERE o.creation_date < @__date_0 AND (o.status NOT IN ('inactive', 'valid') OR (o.status IS NULL) OR ((o0.id IS NOT NULL) AND (o0.status <> 'valid' OR (o0.status IS NULL))) OR o.expiration_date < (now() AT TIME ZONE 'UTC'))
2023-03-23 13:01:32       ORDER BY o.id
2023-03-23 13:01:32       LIMIT @__p_1
2023-03-23 13:01:33 info: Microsoft.EntityFrameworkCore.Database.Command[20101]
2023-03-23 13:01:33       Executed DbCommand (1ms) [Parameters=[@__date_0='?' (DbType = DateTime), @__p_1='?' (DbType = Int32)], CommandType='Text', CommandTimeout='30']
2023-03-23 13:01:33       SELECT t.id, t.application_id, t.concurrency_token, t.creation_date, t.properties, t.scopes, t.status, t.subject, t.type, o1.id, o1.application_id, o1.authorization_id, o1.concurrency_token, o1.creation_date, o1.expiration_date, o1.payload, o1.properties, o1.redemption_date, o1.reference_id, o1.status, o1.subject, o1.type
2023-03-23 13:01:33       FROM (
2023-03-23 13:01:33           SELECT o.id, o.application_id, o.concurrency_token, o.creation_date, o.properties, o.scopes, o.status, o.subject, o.type
2023-03-23 13:01:33           FROM public.openiddictentityframeworkcoreauthorization AS o
2023-03-23 13:01:33           WHERE o.creation_date < @__date_0 AND (o.status <> 'valid' OR (o.status IS NULL) OR (o.type = 'ad-hoc' AND NOT (EXISTS (
2023-03-23 13:01:33               SELECT 1
2023-03-23 13:01:33               FROM public.openiddictentityframeworkcoretoken AS o0
2023-03-23 13:01:33               WHERE o.id = o0.authorization_id))))
2023-03-23 13:01:33           ORDER BY o.id
2023-03-23 13:01:33           LIMIT @__p_1
2023-03-23 13:01:33       ) AS t
2023-03-23 13:01:33       LEFT JOIN public.openiddictentityframeworkcoretoken AS o1 ON t.id = o1.authorization_id
2023-03-23 13:01:33       ORDER BY t.id

我在docker中运行openiddict服务器端口5999：5999资源服务器8000：80两个服务都在docker中运行并使用http服务器program.cs

builder.Services.AddOpenIddict()

    // Register the OpenIddict core components.
    .AddCore(options =>
    {
        // Configure OpenIddict to use the Entity Framework Core stores and models.
        // Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
        options.UseEntityFrameworkCore()
               .UseDbContext<ApplicationDbContext>();

        // Developers who prefer using MongoDB can remove the previous lines
        // and configure OpenIddict to use the specified MongoDB database:
        // options.UseMongoDb()
        //        .UseDatabase(new MongoClient().GetDatabase("openiddict"));

        // Enable Quartz.NET integration.
        options.UseQuartz();
    })

    // Register the OpenIddict client components.
    .AddClient(options =>
    {
        // Note: this sample uses the code flow, but you can enable the other flows if necessary.
        options.AllowAuthorizationCodeFlow();

        // Register the signing and encryption credentials used to protect
        // sensitive data like the state tokens produced by OpenIddict.
        options.AddDevelopmentEncryptionCertificate()
               .AddDevelopmentSigningCertificate();

        // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
        options.UseAspNetCore()
               .EnableStatusCodePagesIntegration()
               .EnableRedirectionEndpointPassthrough();

        // Register the System.Net.Http integration and use the identity of the current
        // assembly as a more specific user agent, which can be useful when dealing with
        // providers that use the user agent as a way to throttle requests (e.g Reddit).
        options.UseSystemNetHttp()
               .SetProductInformation(typeof(Program).Assembly);

        // Register the Web providers integrations.
        //
        // Note: to mitigate mix-up attacks, it's recommended to use a unique redirection endpoint
        // URI per provider, unless all the registered providers support returning a special "iss"
        // parameter containing their URL as part of authorization responses. For more information,
        // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
        options.UseWebProviders()
               .UseGitHub()
               .SetClientId("c4ade52327b01ddacff3")
               .SetClientSecret("da6bed851b75e317bf6b2cb67013679d9467c122")
               .SetRedirectUri("callback/login/github");
    })

    // Register the OpenIddict server components.
    .AddServer(options =>
    {
        // Enable the authorization, device, introspection,
        // logout, token, userinfo and verification endpoints.
        options.SetAuthorizationEndpointUris("connect/authorize")
               .SetDeviceEndpointUris("connect/device")
               .SetIntrospectionEndpointUris("connect/introspect")
               .SetLogoutEndpointUris("connect/logout")
               .SetTokenEndpointUris("connect/token")
               .SetUserinfoEndpointUris("connect/userinfo")
               .SetVerificationEndpointUris("connect/verify");

        // Note: this sample uses the code, device code, password and refresh token flows, but you
        // can enable the other flows if you need to support implicit or client credentials.
        options.AllowAuthorizationCodeFlow()
               .AllowDeviceCodeFlow()
               .AllowPasswordFlow()
               .AllowRefreshTokenFlow();

        // Mark the "email", "profile", "roles" and "demo_api" scopes as supported scopes.
        options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles, "demo_api");

        // Register the signing and encryption credentials.
        options.AddDevelopmentEncryptionCertificate()
               .AddDevelopmentSigningCertificate();

        // Force client applications to use Proof Key for Code Exchange (PKCE).
        options.RequireProofKeyForCodeExchange();

        // Disable ssl https for development 
        options.UseAspNetCore().DisableTransportSecurityRequirement();

        // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
        options.UseAspNetCore()
               .EnableStatusCodePagesIntegration()
               .EnableAuthorizationEndpointPassthrough()
               .EnableLogoutEndpointPassthrough()
               .EnableTokenEndpointPassthrough()
               .EnableUserinfoEndpointPassthrough()
               .EnableVerificationEndpointPassthrough();

        // Note: if you don't want to specify a client_id when sending
        // a token or revocation request, uncomment the following line:
        //
        // options.AcceptAnonymousClients();

        // Note: if you want to process authorization and token requests
        // that specify non-registered scopes, uncomment the following line:
        //
        // options.DisableScopeValidation();

        // Note: if you don't want to use permissions, you can disable
        // permission enforcement by uncommenting the following lines:
        //
        // options.IgnoreEndpointPermissions()
        //        .IgnoreGrantTypePermissions()
        //        .IgnoreResponseTypePermissions()
        //        .IgnoreScopePermissions();

        // Note: when issuing access tokens used by third-party APIs
        // you don't own, you can disable access token encryption:
        //
        // options.DisableAccessTokenEncryption();
    })

    // Register the OpenIddict validation components.
    .AddValidation(options =>
    {
        // Configure the audience accepted by this resource server.
        // The value MUST match the audience associated with the
        // "demo_api" scope, which is used by ResourceController.
        options.AddAudiences("resource_server");

        // Import the configuration from the local OpenIddict server instance.
        //options.UseLocalServer();

        // Instead of validating the token locally by reading it directly,
        // introspection can be used to ask a remote authorization server
        // to validate the token (and its attached database entry).
        //
        options.UseIntrospection()
               .SetIssuer("http://lcoalhost:5999")
               .SetClientId("catalog_server")
               .SetClientSecret("80B552BB-4CD8-48DA-946E-0815E0147DD2");
        //
        // When introspection is used, System.Net.Http integration must be enabled.
        //
        options.UseSystemNetHttp();

        // Register the ASP.NET Core host.
        options.UseAspNetCore();

        // For applications that need immediate access token or authorization
        // revocation, the database entry of the received tokens and their
        // associated authorizations can be validated for each API call.
        // Enabling these options may have a negative impact on performance.
        //
        // options.EnableAuthorizationEntryValidation();
        // options.EnableTokenEntryValidation();
    });

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
});
builder.Services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());

资源程序. cs

// Register the OpenIddict validation components.
builder.Services.AddOpenIddict()
    .AddValidation(options =>
    {
        // Note: the validation handler uses OpenID Connect discovery
        // to retrieve the address of the introspection endpoint.
        options.SetIssuer(builder.Configuration.GetValue<string>("IdentityUrl"));
        options.AddAudiences("catalog_server");

        // Configure the validation handler to use introspection and register the client
        // credentials used when communicating with the remote introspection endpoint.
        options.UseIntrospection()
        .SetClientSecret("80B552BB-4CD8-48DA-946E-0815E0147DD2")
               .SetClientId("catalog_server");

        // Register the System.Net.Http integration.
        options.UseSystemNetHttp();

        // Register the ASP.NET Core host.
        options.UseAspNetCore();
    });

builder.Services.AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme);
builder.Services.AddAuthorization();
var app = builder.Build();

// Configure the HTTP request pipeline.

app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

oauth2.0 openiddictasp.net核心：在docker中运行时发生身份验证错误，在没有docker的情况下运行时运行完美

1条答案

相关问题

热门标签

最新问答