Idsrvr4:AuthorizeRequestValidator:错误:客户端的无效授予类型:隐式

Sau*_*ala 8 c# oauth oauth-2.0 identityserver4 asp.net-core-2.0

我正在尝试在.net core 2.0 MVC上设置Identity Server 4 HybridAndClientCredentials

但是,遇到了错误的客户端无效授予类型错误:隐式

事件,尽管我已将AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

我已经下载了示例快速入门,并且可以正常运行,但是我找不到自己的代码,缺少了多少行代码。

调试输出:

IdentityServer4.Validation.AuthorizeRequestValidator:
Error: Invalid grant type for client: implicit
{
  "ClientId": "consultee",
  "ClientName": "consultee Client test",
  "RedirectUri": "http://consultee.mi.local:44352/signin-oidc",
  "AllowedRedirectUris": [
    "http://consultee.mi.local:44352/signin-oidc"
  ],
  "SubjectId": "anonymous",
  "ResponseType": "id_token",
  "ResponseMode": "form_post",
  "GrantType": "implicit",
  "RequestedScopes": "",
  "State": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
  "Raw": {
    "client_id": "consultee",
    "redirect_uri": "http://consultee.mi.local:44352/signin-oidc",
    "response_type": "id_token",
    "scope": "openid profile api1 offline_access",
    "response_mode": "form_post",
    "nonce": "636626718480261618.MDYwZjE0MjMtNzczMi00ZjQ4LTk0NWUtZjQ1ZDNjM2VjZTRhOWI0NWM0MjMtNGM3Ni00ZDA3LWIyZDctMDcwNTc3ZDU0NGYy",
    "state": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
    "x-client-SKU": "ID_NET",
    "x-client-ver": "2.1.4.0"
  }
}
Run Code Online (Sandbox Code Playgroud)

客户

                new Client
                {
                    ClientId = "consultee",
                    ClientName = "consultee Client test",
                    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                    ClientSecrets =
                    {
                        new Secret("secret".Sha256())
                    },

                    RedirectUris = { "http://consultee.mi.local:44352/signin-oidc" },
                    PostLogoutRedirectUris = { "http://consultee.mi.local:44352/signout-callback-oidc" },

                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "api1"
                    },
                    AllowOfflineAccess = true,
                    AllowAccessTokensViaBrowser = true,
                }
Run Code Online (Sandbox Code Playgroud)

客户端的ConfigurationService

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

        services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = Configuration["identityServerUri"];
                options.RequireHttpsMetadata = false;

                options.ClientId = "consultee";
                options.ClientSecret = "secret";

                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;

                options.Scope.Add("api1");
                options.Scope.Add("offline_access");
            });
    }
Run Code Online (Sandbox Code Playgroud)

IdServer上的ConfigurationService

public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        // configure identity server with in-memory stores, keys, clients and scopes
        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
            .AddTestUsers(Config.GetUsers());

        services.AddAuthentication();

    }
Run Code Online (Sandbox Code Playgroud)

DaI*_*mTo 10

日志告诉您问题所在

错误:无效的客户授权类型:隐式

您以隐式客户端身份登录。

.AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["identityServerUri"];
            options.RequireHttpsMetadata = false;

            options.ClientId = "consultee";
            options.ClientSecret = "secret";

            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("api1");
            options.Scope.Add("offline_access");
        });
Run Code Online (Sandbox Code Playgroud)

您已经在身份服务器中配置了混合客户端

new Client
            {
                ClientId = "consultee",
                ClientName = "consultee Client test",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },

                RedirectUris = { "http://consultee.migrology.local:44352/signin-oidc" },
                PostLogoutRedirectUris = { "http://consultee.migrology.local:44352/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "api1"
                },
                AllowOfflineAccess = true,
                AllowAccessTokensViaBrowser = true,
            }
Run Code Online (Sandbox Code Playgroud)

因此服务器不会允许您执行此操作。您需要更改代码以混合登录,或者将您的客户端更改为隐式客户端。

改为混合动力

为了将隐式登录更改为混合登录,您需要更改一些内容。

  • 配置ClientSecret以匹配IdentityServer上的机密。
  • 添加offline_access
  • 添加范围(api1)
  • 将ResponseType设置为代码id_token(这基本上意味着“使用混合流”) (您缺少此信息)

  • 你真是有靶心啊! (2认同)
  • 我正在做同样的事情,我觉得很奇怪你的项目使用隐式和我的混合运行,所以我不得不用你的代码进行测试。我们都在这里学到了一些东西。 (2认同)