AJ *_*tis 15 oauth-2.0 identityserver3
我正在尝试设置Thinktecture的Identity Server 3,但在交换授权代码时(或使用ResourceOwner流时,我似乎无法让它返回刷新令牌,但我将专注于授权代码)因为它现在对我来说更重要).我回来访问令牌并且可以使用它们进行身份验证就好了,但它似乎甚至没有生成我期望回来的刷新令牌.为了让Identity Server返回刷新令牌,我需要做些什么特别的事情吗?
我查看了文档,但没有看到任何我设置错误的内容,并且他们在页面上唯一的刷新令牌,我没有做的是在发送用户时明确请求"offline_access"范围在那里进行身份验证,因为每当我尝试时,我都会收到"无效范围"错误.因此,我采用Thinktecture的措辞"请求offline_access范围(通过代码或资源所有者流程)"来表示offline_access范围是根据您正在使用的流程自动请求的内容.
我一直在努力跟踪他们的示例应用程序(以及Katana Project中现有的Owin中间件的源代码),我的设置如下:
var client = new Client()
{
ClientId = "SomeId",
ClientName = "Client with Authentication Code Flow",
RequireConsent = false, //Setting this to true didn't help
Flow = Flows.AuthorizationCode,
ClientSecrets = new List() {
new ClientSecret("secret")
},
RedirectUris = new List()
{
"localhost:/specific-redirect-path"
}
};
var authorizationEndpoint =
AuthorizationEndpointBase +
"?client_id=" + Uri.EscapeDataString(Options.ClientId) +
"&scope=Default" +
"&response_type=code" +
"&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
"&state=" + Uri.EscapeDataString(state);
Response.Redirect(authorizationEndpoint);
其中"默认"是我创建的范围.
IReadableStringCollection query = Request.Query;
string code = getValueFromQueryString("code", query);
var tokenRequestParameters = new List>()
{
new KeyValuePair("client_id", Options.ClientId),
new KeyValuePair("redirect_uri", GenerateRedirectUri()),
new KeyValuePair("client_secret", Options.ClientSecret),
new KeyValuePair("code", code),
new KeyValuePair("grant_type", "authorization_code"),
};
var requestContent = new FormUrlEncodedContent(tokenRequestParameters);
HttpResponseMessage response = await _httpClient.PostAsync(TokenEndpoint, requestContent, Request.CallCancelled);
response.EnsureSuccessStatusCode();
string oauthTokenResponse = await response.Content.ReadAsStringAsync();
当我调用令牌端点时,我在Identity Server上的日志记录显示以下内容(在验证授权代码之后):
iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.TokenRequestValidator]: 7/13/2015 1:44:07 PM +00:00 -- Token request validation success
{
"ClientId": "SomeId",
"ClientName": "Client with Authentication Code Flow",
"GrantType": "authorization_code",
"AuthorizationCode": "f8f795e649044067ebd96a341c5af8c3"
}
iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.TokenResponseGenerator]: 7/13/2015 1:44:07 PM +00:00 -- Creating token response
iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.TokenResponseGenerator]: 7/13/2015 1:44:07 PM +00:00 -- Processing authorization code request
Debug: [Thinktecture.IdentityServer.Core.Services.Default.DefaultTokenService]: 7/13/2015 1:44:07 PM +00:00 -- Creating access token
Debug: [Thinktecture.IdentityServer.Core.Services.Default.DefaultTokenService]: 7/13/2015 1:44:07 PM +00:00 -- Creating reference access token
iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.TokenEndpointController]: 7/13/2015 1:44:07 PM +00:00 -- End token request
iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Results.TokenResult]: 7/13/2015 1:44:07 PM +00:00 -- Returning token response.
我不确定还有什么相关的,所以我会根据需要提供更多信息.
bit*_*der 31
您必须在请求中明确要求"offline_access".使用空格分隔您请求的其他范围.(在下面的示例中,我将'Default'替换为'MyApi',以明确我们正在讨论您的应用定义的范围.)
&scope=MyApi offline_access
但是,您还必须授予该客户端获取刷新令牌的权利,这不仅仅取决于您选择的流程:
var client = new Client()
{
... //All the stuff you were doing before
ScopeRestrictions = new List<string>
{
"MyApi",
StandardScopes.OfflineAccess.Name, //"offline_access" -for refresh tokens
//Other commonly requested scopes:
//StandardScopes.OpenId.Name, //"openid"
//StandardScopes.Email.Name, //"email"
},
}
您可能还需要将"offline_access"添加到范围存储区.范围存储是Identity Server知道的范围列表.您的问题没有提到您的范围商店在项目中的设置方式,因此您可能已经拥有它.但是,如果上述内容不能立即为您服务,您可能需要在您正在使用的示例中查找此类代码并添加OfflineAccess.
var scopeStore = new InMemoryScopeStore(new Scope[]{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.OfflineAccess, //<--- ensure this is here to allow refresh tokens
new Scope{
Enabled = true,
Name = "MyApi"
},
}
| 归档时间: |
|
| 查看次数: |
10221 次 |
| 最近记录: |