IdentityServer3-401调用Identity API Controller时未授权
[英]IdentityServer3 - 401 Unauthorized when calling Identity API Controller
问题描述
I have a project which uses IdentityServer3 for Auth as a Service. 
我有一个使用IdentityServer3进行身份验证即服务的项目。
Recently I was tasked with creating a seamless experience for End-Users to edit their identity information. 最近,我的任务是为最终用户创建无缝体验来编辑其身份信息。
I did this by creating an API Controller in my application which uses a HTTPClient to call another API Controller living in my IdentityServer project. 为此,我在应用程序中创建了一个API控制器,该API控制器使用HTTPClient调用了我IdentityServer项目中的另一个API控制器。 It basically exposes the Identity management methods to the world, but "passes-through" any requests on to the IdentityServer Api. 它基本上向世界公开了身份管理方法,但是将任何请求“传递”给IdentityServer Api。
All is well right up until I call the IdentityServer Api Controller. 一切正常,直到我调用IdentityServer Api控制器。 My breakpoint there is never hit, regardless of the presence of a "Authorize" attribute. 不管是否存在“授权”属性,我的断点都不会命中。 I end up receiving a "401: Unauthorized" back from the IdentityServer Api controller. 我最终收到了来自IdentityServer Api控制器的“ 401:未经授权”消息。
I've tried to reuse the original request's Auth headers, but that didn't work. 我试图重用原始请求的Auth标头,但这没有用。 I also tried to find a "access_token" claim from my claim principle, but one wasn't found. 我还尝试从我的声明原则中找到一个“ access_token”声明,但未找到。
here is a code snippet: 这是一个代码片段:
var httpClient = new HttpClient();
// this didn't work - tried reusing the auth from the original request
//httpClient.DefaultRequestHeaders.Authorization = request.Headers.Authorization;
// this didn't work either - "access_token" is not found
//httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", Caller.FindFirst("access_token").Value);
var routePrefix = GetRoutePrefix();
var response = await httpClient.PostAsync(
$"{routePrefix}/post",
new ObjectContent(typeof(TDObj), entity, new JsonMediaTypeFormatter()));
return response;
I'm new to IdentityServer3 and OAuth and not sure what to do next. 我是IdentityServer3和OAuth的新手,不确定下一步如何做。 I tried creating a new scope for "identity" and tried to make it a required scope in my client application, but that didn't seem to do the trick. 我尝试为“身份”创建一个新的作用域,并尝试使其成为客户端应用程序中的必需作用域,但这似乎并没有解决问题。 I know I'm missing some key piece of understanding here, but there is so much documentation for IdentityServer, I don't know where to begin and can't find anything specific to this need. 我知道我在这里缺少一些关键的了解,但是IdentityServer的文档太多了,我不知道从哪里开始,也找不到适合此需求的任何东西。 I'm in the weeds! 我在杂草中! Can anyone help me understand what's going on here? 谁能帮助我了解这里的事吗? Thanks! 谢谢!
1 个解决方案
解决方案1
0 已采纳 2017-03-15 20:30:15
I got it working by following Scott Brady's answer here: Identity Server and web api for user management 我通过遵循Scott Brady的回答在这里工作: Identity Server和用于用户管理的Web API
However, his answer didn't immediately work for me. 但是,他的回答并没有立即为我解决。 I had to make sure to make the call for UseIdentityServerTokenValidation to happen BEFORE api route mapping happened. 我必须确保对UseIdentityServerTokenValidation的调用在api路由映射发生之前发生。
That being said, my original attempt to hi-jack the Authorization headers from the inbound HTTPRequest of my Front-End application worked, so I was able to remove any code requesting an access token and didn't have to SetBearerToken() on my HttpClient. 话虽这么说,我最初尝试从前端应用程序的入站HTTPRequest中劫持Authorization标头的工作是可行的,因此我能够删除任何请求访问令牌的代码,而不必在HttpClient上使用SetBearerToken() 。 Just this: 只是这个:
httpClient.DefaultRequestHeaders.Authorization = request.Headers.Authorization;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.