asp.net 获取DiscoveryClient失败,并显示“颁发者名称与权限不匹配”

rryofs0p  于 2023-10-21  发布在  .NET
关注(0)|答案(4)|浏览(111)

我在使用IdentityModel的DiscoveryClient执行GET时得到以下错误:

var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");

颁发者名称与权限不匹配:https://localhost/identityserver
目标URL是在启用了IdentityServer4的IIS上运行的ASP.NET Core Web应用程序。客户端应用程序是在同一台机器上运行的经典ASP.NETWeb应用程序。
显然,GET确实设法从IdentityServer中检索了值,discoveryResponse.Raw的内容证明了这一点:

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
  "token_endpoint": "https://localhost/IdentityServer/connect/token",
  "userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
  "end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
  "check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
  "revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
  "introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
  "claims_supported": [],
  "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
  "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
  "response_modes_supported": [ "form_post", "query", "fragment" ],
  "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
  "subject_types_supported": [ "public" ],
  "id_token_signing_alg_values_supported": [ "RS256" ],
  "code_challenge_methods_supported": [ "plain", "S256" ]
}
asp.net

4条答案

按热度按时间
f2uvfpb9

f2uvfpb91#

授权:https://localhost/IdentityServer发行人:https://localhost/identityserver
它们不匹配-这是区分大小写的。

赞(0)分享  回复(0)举报  2023-10-21
4dc9hkyq

4dc9hkyq2#

在无法更改服务器代码以适应策略的情况下,可以更改策略设置以允许名称不匹配。
例如,我尝试在Azure Rest API上使用DiscoveryClientissuerhttps://sts.windows.net/{{ tenant_id }},而端点都以https://login.microsoft.com/{{ tenant_id }}开头。
只需将字段ValidateIssuerNameValidateEndpoints设置为false。

var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);

// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;

var discoResponse = await discoveryClient.GetAsync();

后期编辑

自此消息发布以来,DiscoveryClient类已被弃用。
下面是新的调用语法:

var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
    new DiscoveryDocumentRequest
    {
        Address = authority,
        Policy =
        {
            ValidateIssuerName = false,
            ValidateEndpoints = false,
        },
    }
);
赞(0)分享  回复(0)举报  2023-10-21
hyrbngr7

hyrbngr73#

其他的回答是针对客户端的--让它接受证书颁发者。
这将更改发现文档中颁发者的大小写:
默认情况下,Identity Server似乎会将颁发者Uri更改为URL。这导致发现文档对于发行者具有小写;以及你在代码/发布中输入的其他所有内容的情况。
我在我的Identity Server应用程序中修复了此问题,启动,配置服务方法

var builder 
  = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })

使用这意味着发现文档中的颁发者的大小写与所有其他URI相同。

赞(0)分享  回复(0)举报  2023-10-21
i7uaboj4

i7uaboj44#

如果对Discovery Client的请求的URL(或者在我的情况下,用于在验证期间内省访问令牌的URL)包含转义空格(即,“%20”而不是““),则也会发生此错误,如果在Identity Server中精确比较URL,则这是有意义的。

赞(0)分享  回复(0)举报  2023-10-21
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com