使用公钥/私钥而不是共享密钥的IdentityServer客户端身份验证

Question

我正在尝试使用公钥/私钥而不是IdentityServer4的客户机密的共享密钥.这种方法记录在这里.

如果它是共享密钥,则请求将包含secret纯文本.例如

curl -X POST \
  http://<identityserver>/connect/token \
  -F client_id=abc \
  -F client_secret=secret \
  -F grant_type=client_credentials \
  -F scope=api1 api2

我的问题是:secret使用公钥/私钥认证方法应该传递什么？

为了给出一些背景知识,使用公共/密钥身份验证的客户端将使用以下步骤向IdentityServer 注册

1. 客户端生成.crt文件,例如

   // create key
   $ openssl genrsa -des3 -passout pass:x -out client.pass.key 2048
   $ openssl rsa -passin pass:x -in client.pass.key -out client.key
   
   // create certificate request (csr)
   $ openssl req -new -key client.key -out client.csr
   
   // create certificate (crt)
   $ openssl x509 -req -sha256 -days 365 -in client.csr -signkey client.key -out client.crt
   
   // export pfx file from key and crt
   $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt
   

2. 客户端将client.crt与IdentityServer 共享该文件

3. IdentityServer将通过注册客户端

   var client = new Client
   {
       ClientId = "abc",
       ClientSecrets =
       {
           new Secret
           {
               Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
               Value = "MIIDF...." <================= contents of the crt file
           }
       },
   
       AllowedGrantTypes = GrantTypes.ClientCredentials,
       AllowedScopes = { "api1", "api2" }
   };
   

Answer 1

借助IdentityServer4中的单元测试解决了这一问题！

使用公共/专用身份验证时，client_secret不使用。而是client_assertion使用a，它是JWT令牌。

这是令牌请求的示例代码。client.pfx是根据问题中上述步骤生成的证书捆绑包。

var now = DateTime.UtcNow;
var clientId = "abc";
var tokenEndpoint = "http://localhost:5000/connect/token";

var cert = new X509Certificate2("client.pfx", "1234");

// create client_assertion JWT token
var token = new JwtSecurityToken(
    clientId,
    tokenEndpoint,
    new List<Claim>
    {
        new Claim("jti", Guid.NewGuid().ToString()),
        new Claim(JwtClaimTypes.Subject, clientId),
        new Claim(JwtClaimTypes.IssuedAt, now.ToEpochTime().ToString(), ClaimValueTypes.Integer64)
    },
    now,
    now.AddMinutes(1),
    new SigningCredentials(
        new X509SecurityKey(cert),
        SecurityAlgorithms.RsaSha256
    )
);

var tokenHandler = new JwtSecurityTokenHandler();
var tokenString = tokenHandler.WriteToken(token);


// token request - note there's no client_secret but a client_assertion which contains the token above
var requestBody = new FormUrlEncodedContent(new Dictionary<string, string>
{
    {"client_id", clientId},
    {"client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
    {"client_assertion", tokenString},
    {"grant_type", "client_credentials"},
    {"scope", "api1 api2"}
});


var client = new HttpClient();
var response = await client.PostAsync(tokenEndpoint, requestBody);
var tokenRespone = new TokenResponse(await response.Content.ReadAsStringAsync());