身份服务器 4 - 获取 invalid_client 错误

Question

我是身份服务器的新手。我之前没有配置过。但是我正在从事的项目需要它。

该 API 将为 Angular JS 客户端、iOS 应用程序和 Android 应用程序提供服务。我们需要实现认证和授权。

注意：我正在尝试在同一个 Web API 项目中配置 Identity Server 和我的 API。

我遵循了文档并将身份服务器配置如下：

在startup.cs中，在 ConfigureServices()

        services.AddTransient<IProfileService, CustomProfileService>();
        services.AddTransient<IResourceOwnerPasswordValidator, CustomResourceOwnerPasswordValidator>();



        services.AddIdentityServer()
            .AddTemporarySigningCredential()
            // add the resources that need to be secured
            .AddInMemoryApiResources(IdentityServerConfig.Resources.GetApiResources())
            // add the clients that will be access the ApiResources
            .AddInMemoryClients(IdentityServerConfig.Clients.GetClients());

该CustomProfileService和CustomResourceOwnerPasswordValidator与此相同的答案： /sf/answers/2471421501/

在 Configure()

        // as this API will also be acting as an
        app.UseIdentityServer();


        // now setup the Identity Server client, this API will also be the client 

        app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://localhost:44337",
            RequireHttpsMetadata = false,


            ApiName = "obApi"
        });

这里是 GetClients()

    public static IEnumerable<Client> GetClients()
    {
        var clients = new List<Client>();



        var websiteGrants = new List<string> { GrantType.ResourceOwnerPassword };
        var secret = new Secret("secret".Sha256());

        var websiteClient = new Client()
        {
            // we will be using Angular JS to access the API - so naming it js
            ClientId = "js",

            // just a human friendly name
            ClientName = "JavaScript Client",

            // set to GrantType.ResourceOwnerPassword - because using Username/Password to login
            AllowedGrantTypes = websiteGrants, 

            // secret for authentication
            //TODO: Change the secret 
            ClientSecrets = { secret },

            // we need to access the fhApi from Angular JS front-end 
            // fhApi is defined in Resources file as an API Resource
            AllowedScopes = { "obApi" }
        };


        clients.Add(websiteClient);

        return clients;
    }

这是 GetApiResources()

    public static IEnumerable<ApiResource> GetApiResources()
    {
        // e.g. if we want to protect an API called api1 - then we will add it here
        // these values are hard coded for now - but we can get from DB, config file etc.

        return new List<ApiResource>
                        {
                            new ApiResource("obApi", "Order2Bite API")
                        };
    }

现在因为我想使用它 Angular JS、iOS 和 Android，我只想从身份服务器获取访问令牌，然后使用访问令牌进行身份验证和授权。

为此，我试图/connect/token从 JS 客户端访问

但我收到一个invalid_client错误。

        var user = { client_id: "js", grant_type: 'password', username: "testuser", password: "testpasswrd", scope: 'obApi' };

        var urlEncodedUrl = {
            'Content-Type': 'application/x-www-form-urlencoded',
        };

        this.$http({
            method: 'POST', url: "http://localhost:44337/connect/token",
            headers: urlEncodedUrl,
            data: user,

        })
            .then(data => {
                console.log(data)
            },
            data => {
                console.log(data)

            });

我在服务器端遇到的错误是“找不到客户端标识符”：

1 - 为什么我会收到这个错误？

2 - 因为我需要在 JS、Android 和 iOS 中以编程方式获取令牌，所以我需要使用/connect/token，我对此是否正确？我在正确的道路上吗？

Answer 1

invalid_client 错误通常意味着客户端 ID 或客户端密钥不正确。在这种情况下，您不会在对 IdentityServer 的请求中包含客户端密钥。在您的请求中添加“client_secret: 'secret'”

更新数据：

 var user = { client_id: "js", client_secret: "secret", grant_type: 'password', username: "testuser", password: "testpasswrd", scope: 'obApi' };

或者，您不能在客户端配置中要求 ClientSecret

var websiteClient = new Client()
{
    // we will be using Angular JS to access the API - so naming it js
    ClientId = "js",

    // just a human friendly name
    ClientName = "JavaScript Client",

    // set to GrantType.ResourceOwnerPassword - because using Username/Password to login
    AllowedGrantTypes = websiteGrants,

    // secret for authentication
    //TODO: Change the secret 
    ClientSecrets = { secret },

    // Disable client secret validation
    RequireClientSecret = false,

    // we need to access the fhApi from Angular JS front-end 
    // fhApi is defined in Resources file as an API Resource
    AllowedScopes = { "obApi" }
};

这是 IdentityServer4 ClientSecretValidator.cs 中的一个片段，其中包含您返回的确切错误作为证明 https://github.com/IdentityServer/IdentityServer4/blob/release/src/IdentityServer4/Validation/ClientSecretValidator.cs

var parsedSecret = await _parser.ParseAsync(context);
if (parsedSecret == null)
{
    await RaiseFailureEvent("unknown", "No client id found");

    _logger.LogError("No client identifier found");
    return fail;
}

关于获取 JS、Android 和 iOS 令牌的第二个问题，您可能需要考虑将用于每个场景的 OpenID 授予类型。我从 IdentityServer 开发人员那里看到的一般建议是对 Web 应用程序和授权代码（或混合）流使用隐式流。您可以在此处阅读更多相关信息：http : //docs.identityserver.io/en/release/topics/grant_types.html