id_token in IdentityServer4的错误受众
我正在尝试用以下方法设置一个解决方案:
- IdentityServer4实例
- React/ js client
- ASP.NET Core (受IdentityServer)
保护)
由于我希望使用角色和声明,所以我希望使用引用令牌(id_token),并让API验证针对IdentityServer的声明。
IdentityServer实例的配置:
"IdentityServer": {
"IdentityResources": [
"openid",
"email",
"phone",
"profile"
],
"ApiResources": [
{
"Name": "b2a6f5a1-9317-4b2f-bb02-c2f7cd70ce9a",
"DisplayName": "My API",
"ApiSecrets": [ { "Value": "<BASE 64 ENCODED SHA256 HASH OF SECRET>" } ]
}
],
"Clients": [
{
"Enabled": true,
"ClientId": "976d5079-f190-41a2-a6f6-be92470bacc0",
"ClientName": "My JS client",
"ClientUri": "http://localhost:3000",
"LogoUri": "logo.png",
"RequireClientSecret": false,
"AllowAccessTokensViaBrowser": true,
"RequireConsent": false,
"ClientClaimsPrefix": null,
"AccessTokenType": "reference",
"AllowedGrantTypes": [ "implicit" ],
"RedirectUris": [ "http://localhost:3000/authentication/login-callback" ],
"PostLogoutRedirectUris": [ "http://localhost:3000/authentication/logout-callback" ],
"AllowedCorsOrigins": [ "http://localhost:3000" ],
"AllowedScopes": [ "openid", "email", "phone", "profile", "b2a6f5a1-9317-4b2f-bb02-c2f7cd70ce9a" ]
}
]
} (受保护的) API的配置
"Identity": {
"Authority": "https://localhost:44311",
"ApiName": "b2a6f5a1-9317-4b2f-bb02-c2f7cd70ce9a",
"ApiSecret": "<UNHASHED SECRET>"
}API的Startup.cs:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
})
.AddIdentityServerAuthentication(options =>
{
options.Authority = Configuration.GetValue<string>("Identity:Authority");
options.ApiName = Configuration.GetValue<string>("Identity:ApiName");
options.ApiSecret = Configuration.GetValue<string>("Identity:ApiSecret");
});我使用以下参数查询IdentityServer以获得id_token:
export const Settings: any = {
authority: "https://localhost:44311",
post_logout_redirect_uri: "http://localhost:3000/authentication/logout-callback",
redirect_uri: "http://localhost:3000/authentication/login-callback",
response_type: "id_token",
scope: "openid email profile phone b2a6f5a1-9317-4b2f-bb02-c2f7cd70ce9a"
};我得到以下错误:Requests for id_token response type only must not include resource scopes。
如果我将范围更改为:
export const Settings: any = {
// ...
scope: "openid email profile phone" // removed (protected) api resource
};它起作用了,我得到了这样一个id_token:
{
"nbf": 1573798909,
"exp": 1573799209,
"iss": "https://localhost:44311",
"aud": "976d5079-f190-41a2-a6f6-be92470bacc0",
"nonce": "d768a177af684324b30ba73116a0ae79",
"iat": 1573798909,
"s_hash": "HbWErYNKpgsiOIO82IiReA",
"sid": "vVWVhLnVLiCMdLSBWnVUQA",
"sub": "90f84a26-f756-4923-9d26-6104eef031ac",
"auth_time": 1573798909,
"idp": "local",
"preferred_username": "noreply",
"name": "noreply",
"email": "noreply@example.com",
"email_verified": false,
"amr": [
"pwd"
]
}注意,观众是976d5079-f190-41a2-a6f6-be92470bacc0,它是js客户机。
当我在受保护的API上使用这个令牌时,它说:
Bearer error="invalid_token", error_description="The audience '976d5079-f190-41a2-a6f6-be92470bacc0' is invalid"这并不奇怪,因为API有id b2a6f5a1-9317-4b2f-bb02-c2f7cd70ce9a。
所以我的问题是:我哪里错了?我如何为正确的观众得到标记?
回答 1
Stack Overflow用户
发布于 2019-11-15 06:41:28
ID token将由客户端应用程序(React/js)应用程序进行验证,以获得用户声明,因此用户是客户端应用程序的客户ID。通过您的web的令牌应该通过web进行验证,因此受众是web的名称。
ID token包含关于不用于访问受保护资源的最终用户的信息,而Access token允许访问某些已定义的服务器资源.You可以将response_type设置为id_token token,并将api名称/作用域添加到scope配置中。使用隐式流,在身份验证之后,客户端将获得一个ID token和一个Access token,您现在可以使用访问令牌来访问受保护的web。
https://stackoverflow.com/questions/58871454
复制相似问题
腾讯云开发者
