OpenIddict发布器验证在linux服务器上失败
OpenIddict发布器验证在linux服务器上失败
提问于 2021-03-21 14:37:49
基于OpenIddict的身份服务器在其自己的授权控制器中验证令牌,但当通过/introspect端点从另一个资源服务器访问令牌时,它会拒绝该令牌。
在开发机器上一切都很好。这是在将服务部署到Linux服务器之后发生的,在Linux服务器中,服务托管在同一台机器的不同端口上。
这是我日志中的实际异常:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'.设置类似于以下内容:https://github.com/openiddict/openiddict-samples/blob/dev/samples/Zirku/Zirku.Server/Startup.cs
这是我的openiddict设置:
services.AddOpenIddict()
.AddCore(options =>
{
// Configure OpenIddict to use the Entity Framework Core stores and models.
// Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>();
}).AddServer(options =>
{
// Enable the authorization, logout, token and userinfo endpoints.
options.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetIntrospectionEndpointUris("/connect/introspect")
.SetUserinfoEndpointUris("/connect/userinfo");
// Mark the "email", "profile" and "roles" scopes as supported scopes.
options.RegisterScopes(OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
// Note: this sample only uses the authorization code flow but you can enable
// the other flows if you need to support implicit, password or client credentials.
options.AllowAuthorizationCodeFlow().RequireProofKeyForCodeExchange();
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
// Register the signing and encryption credentials.
options.AddDevelopmentEncryptionCertificate();
// .AddDevelopmentSigningCertificate();
// Encryption and signing of tokens
options.AddEphemeralEncryptionKey()
.AddEphemeralSigningKey();
options.RegisterScopes(ApplicationConstants.MobileApiResource);
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(5));
options.SetIdentityTokenLifetime(TimeSpan.FromMinutes(15));
options.SetRefreshTokenLifetime(TimeSpan.FromHours(1));
// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
options.UseAspNetCore()
//todo remove the disable transport layer security
.DisableTransportSecurityRequirement()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
options.DisableAccessTokenEncryption();
})
.AddValidation(options =>
{
// Import the configuration from the local OpenIddict server instance.
options.UseLocalServer();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});这是我的API上的设置:
services.AddAuthentication(options =>
{
options.DefaultScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
});
services.AddOpenIddict()
.AddValidation(options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the address of the introspection endpoint.
options.SetIssuer(identityUrl);
options.AddAudiences("client_id");
// Configure the validation handler to use introspection and register the client
// credentials used when communicating with the remote introspection endpoint.
options.UseIntrospection()
.SetClientId("client_id")
.SetClientSecret("secret");
// Register the System.Net.Http integration.
options.UseSystemNetHttp();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});回答 1
Stack Overflow用户
回答已采纳
发布于 2021-03-22 14:52:47
最后,在大四学生的帮助下,我们能够诊断出这个问题。这一问题与nginx有关。
服务器只返回颁发者域地址,而不返回端口,它将xyz.com作为颁发者返回,而不是实际发出者地址xyz.com:5001。
正确的解决方案是调整nginx代理的主机头指令。
改变了这一点:
proxy_set_header Host $host;对此:
proxy_set_header Host $http_host;还将其添加到标识服务器的Startup.cs中:
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66733629
复制相关文章
相似问题
腾讯云开发者
