ASOS-当具有单独的授权服务器和资源服务器时,令牌验证不起作用
[英]ASOS - Token validation is not working when having separate authorization server and the resource server
问题描述
I'm trying to impement the OpenID Connect server (resource owner password credentials grant) with ASOS by this post . 
我试图通过此帖子用ASOS强加OpenID Connect服务器(资源所有者密码凭据授予)。 Everything works fine when I have both Authorization server and resource server in one app. 当我在一个应用程序中同时拥有授权服务器和资源服务器时,一切工作正常。 But when I split them on two apps (but on one machine) resource server fails to validate token and returns The access token is not valid . 但是,当我在两个应用程序(但在一台机器上)上拆分它们时,资源服务器无法验证令牌并返回访问令牌无效 。
I downloaded the source code of AspNet.Security.OAuth.Validation to investigate the issue and it returns null here 我下载了AspNet.Security.OAuth.Validation的源代码来调查此问题,并在此处返回null
Here are some logs from Authorization Server: 以下是来自授权服务器的一些日志:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 POST http://localhost:5000/connect/token application/x-www-form-urlencoded; charset=UTF-8 77
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token request was successfully extracted from the HTTP request: {
"grant_type": "password",
"username": "UserLogin",
"password": "[removed for security reasons]",
"scope": "offline_access"
}.
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token request was successfully validated.
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A sign-in operation was triggered: sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]].
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
Found key {********-****-****-****-64bb57db1c3b}.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
Decrypting secret element using Windows DPAPI.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
Using key {********-****-****-****-64bb57db1c3b} as the default key.
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A new access token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtG4usEbfF-mLGaJcGGFEPQJLb36rfHqCTJ3Clu_SCBRHlaZ_B7s3pxNfUqS9fPfjtjjEH1KKmkiV6gvakRYf0Iof32BVddUUPgd7sEDrB0fET91pIDJT9WwsPx653viw5tFyvrztsSD5CYAOQZjm1werRcVPuvwRhXUQb_9Vbba52tqj8y7WbOjk78Hl17knbwSz4C70vwlRU5pL_Bp41R4vEEKwtm_VMQ_u1kSBKM5KjOh6OKdbDJ9jOhyh4RpNbvGN25ZskzByi8ndKRW3dmajWYyf-0cj6-4MEE5Hocd47te8C-haYIxEUb7tcQ-JTItknIiE1sk6W7zHlhLg3nprE2Ct4mvKi11G7Kvd1W4u-UmEvL1NesjVFNKpNJVdEaK2I8mcNzJLU69ZnM4poRrLqEqD__cHa8nCFgPtE9L0Jyo6IyFwc7NZ2sXz7y7lPfJ9Q3Pu1W_t0lOGBte5uKHfJZpiOYaqKrAwdJSpULLK52iKoCNhRYxOSdq__DNJs ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 30 Jun 2017 10:13:29 GMT], [.token_id, e27cbb46-d1ea-4576-8803-dddc001b3fc8], [.audiences, ["resource_server"]].
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'RefreshTokenFormat', 'ASOS').
trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
A new refresh token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtcKlYz_IbJiNmiW_tfu19E7p5BIO9xE0b2qu8mYWw-zD7wCWB1F5Fx548L4FARrsJwlJls1AkK2GrqXjV0krH6me_btsSAxM9trrFCUL2ZrXkm2sStZ6DUcbf_cSNFh-YxXft-gbLGV11THAINTb8K9-v_fkeXq7aN8Qgu7zJfhON1ehflLwZ-DXZwW_S9assqx8f7oe-n5gTzOO6PjEyO5g0YMJ1SY7X-sMO1MKjn03vZxPB0ecT0l8NXB89vGhW7kZnoEaL1NwmSTiEOYMatwrkURPBgb2YLnpiu7sYAD04HxsicoLaQTDbc8ZJyWUJ7guLl6Mp2HLhZG_wLQM9REC_QeZX8eDn8aqSOiGKZeLF4G7A5y369VIZ0RPASdTpEsAHSE8ws0RB18jap-75bM_aAi3w3-PlfnY7ySnDYm3xkF1ImyBcph2XF6R8-imdAXhQG-tTAYd2FKw4msaWCPcnX5CxYlo-alVYpd878haDvo43fCvbd2_Dc2O1wI98 ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 14 Jul 2017 09:13:29 GMT], [.token_id, c0cf40ad-cd47-4c82-9e37-6943cda95ffc].
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
The token response was successfully returned: {
"resource": "resource_server",
"scope": "email profile offline_access",
"token_type": "Bearer",
"access_token": "[removed for security reasons]",
"expires_in": 3600,
"refresh_token": "[removed for security reasons]"
}.
Here are some logs from Resource Server: 以下是来自资源服务器的一些日志:
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5001/api/values
trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[5]
Performing unprotect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.WebApi', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
Found key {********-****-****-****-64bb57db1c3b}.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
Decrypting secret element using Windows DPAPI.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
Using key {********-****-****-****-64bb57db1c3b} as the default key.
info: AspNet.Security.OAuth.Validation.OAuthValidationMiddleware[7]
Bearer was not authenticated. Failure message: Authentication failed because the access token was invalid.
1) What is wrong with my resource server? 1)我的资源服务器出了什么问题?
2) How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)? 2)如何在不同的机器上配置资源服务器(尤其是令牌签名/检查和加密/解密)?
1 个解决方案
解决方案1
5 已采纳 2017-06-30 11:40:10
How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?
You need to make sure the key ring (containing the master keys that are derived by ASP.NET Core Data Protection to create encryption and validation keys) is correctly synchronized and shared by both your authorization server and your resource server(s). 您需要确保密钥环(包含由ASP.NET Core Data Protection派生的主密钥来创建加密和验证密钥)已正确同步并由授权服务器和资源服务器共享。 The procedure is described here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview . 该过程在此处进行了描述: https : //docs.microsoft.com/zh-cn/aspnet/core/security/data-protection/configuration/overview 。
Here's an example of how it could be done using a shared folder: 这是一个如何使用共享文件夹完成此操作的示例:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
}
You'll also need to configure the two applications to use the same "application discriminator": 您还需要将两个应用程序配置为使用相同的“应用程序区分符”:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
.SetApplicationName("Your application name");
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.