我有 3 个项目 1- SPA、2- Web API 项目、3- Identity(使用 openiddict、ASP.NET Core 2.0(OpenIddict.dll 版本 2.0.0.-rc2-0854)和 EF Core 进行设置。
\n\nAPI 和 Identity Server 成功运行,可以获取 jwt 令牌,但是,当我尝试从具有授权属性的 API 方法获取值时,出现错误:
\n\nWWW-Authenticate \xe2\x86\x92Bearer error="invalid_token", error_description="The access token is not valid." \n在 Application Insights 中,可以看到 POST /connect/introspect 被调用,结果依赖项结果代码:500 和依赖项代码:Http
\n\n相同的代码以前可以工作,不确定哪些更改会破坏内省。
\n\nAPI项目中的配置
\n\n services.AddAuthentication(options =>\n {\n options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;\n })\n .AddOAuthIntrospection(options =>\n {\n options.Authority = new Uri("http://localhost:49888");\n options.ClientId = "my-resource-server";\n options.ClientSecret = "ClientSecret";\n options.RequireHttpsMetadata = false;\n });\n services.AddCors(); \n services.AddMvc()\n .AddJsonOptions(options =>\n {\n options.SerializerSettings.Formatting = Formatting.None;\n });\n授权方式
\n\n [HttpGet("GetData/{Id}")]\n [Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]\n [Authorize(Roles = "Admin")]\n public IActionResult GetData(int courseId)\n {\n }\n在身份项目中连接/内省
\n\n private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)\n {\n UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);\n\n if (userInfo == null)\n {\n return null;\n }\n\n // Create a new ClaimsIdentity holding the user identity.\n var identity = new ClaimsIdentity(\n OpenIdConnectServerDefaults.AuthenticationScheme,\n OpenIdConnectConstants.Claims.Name,\n OpenIdConnectConstants.Claims.Role\n );\n\n // Add a "sub" claim containing the user identifier, and attach\n // the "access_token" destination to allow OpenIddict to store it\n // in the access token, so it can be retrieved from your controllers.\n identity.AddClaim(OpenIdConnectConstants.Claims.Subject,\n user.UserId.ToString(),\n OpenIdConnectConstants.Destinations.AccessToken);\n identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,\n OpenIdConnectConstants.Destinations.AccessToken);\n\n identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,\n OpenIdConnectConstants.Destinations.AccessToken);\n\n // ... add other claims, if necessary.\n var principal = new ClaimsPrincipal(identity);\n\n // Create a new authentication ticket holding the user identity.\n var ticket = new AuthenticationTicket(principal,\n new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),\n OpenIdConnectServerDefaults.AuthenticationScheme);\n.\n.
\n从 RC2 开始,OpenIddict 可以正式与第三方应用程序(即您不拥有的客户端)一起使用。因此,我们不能再假设所有注册的应用程序都是合法的并且可以自由地内省令牌。
为了使事情变得明确,您现在必须指定能够内省令牌的客户端标识符列表。为此,请在创建票证时添加以下代码:
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources("tracking_api", "marketing_api");
资源必须与使用内省处理程序分配给资源服务器的 client_id 完全匹配:
services.AddAuthentication()
.AddOAuthIntrospection(options =>
{
options.Authority = new Uri("http://localhost:12345/");
options.ClientId = "marketing_api";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.RequireHttpsMetadata = false;
});
| 归档时间: |
|
| 查看次数: |
5031 次 |
| 最近记录: |