[英]Identity Server Calling It's own configuration endpoint
I have two clients requiring authentication. 我有两个需要身份验证的客户端。
One client is a spa that uses implicit flow, and the other is a direct system integration that uses the client credentials flow for login. 一个客户端是使用隐式流的spa,另一个客户端是使用客户端凭据流进行登录的直接系统集成。
For some reason, when my client credentials client calls my API, my Identity Server app tries to call the .well_known/openid-configuration
endpoint on itself. 出于某种原因,当我的客户端凭据客户端调用我的API时,我的Identity Server应用程序会尝试
.well_known/openid-configuration
调用.well_known/openid-configuration
端点。
The call makes no sense, seeing that it is the server which is serving the configuration in the first place that is trying to call an endpoint in itself. 该调用没有任何意义,因为首先看到的是服务器在服务于配置本身试图调用端点。
Is there a way to populate this configuration without having identity server call its own endpoint? 有没有一种方法可以填充此配置而无需身份服务器调用其自己的端点?
Below is a snippet with my Identity server configuration. 以下是我的身份服务器配置的代码片段。
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "Bearer";
options.DefaultChallengeScheme = "oidc";
}).AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = openIdConnectConfig.SignInScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = openIdConnectConfig.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = clientConfig.First(x => x.ClientId == "spa_app").ClientId;
options.SaveTokens = true;
options.SignedOutRedirectUri = "http://localhost:8080";
}).AddIdentityServerAuthentication(options =>
{
options.Authority = openIdConnectConfig.Authority;
options.RequireHttpsMetadata = false;
options.ApiName = "api_client";
});
It's not possible to prevent this behaviour (at least not unless you attempt to implement the IConfigurationManager<OpenIdConnectOptions>
). 无法避免此行为(至少除非您尝试实现
IConfigurationManager<OpenIdConnectOptions>
否则否则)。 This is actually an intended behaviour because you have your web app & identity server hosted on the same app. 这实际上是一种预期的行为,因为您将Web应用程序和身份服务器托管在同一应用程序上。 The call to its own endpoint is due to the
AddOpenIdConnect
authentication scheme which when you start up the app will fetch the identity provider metadata information for JWT validation purposes. 对其端点的调用归因于
AddOpenIdConnect
身份验证方案,该方案在启动应用程序时将获取身份提供者元数据信息以进行JWT验证。
You could theoretically go and implement IConfigurationManager<OpenIdConnectOptions>
that does not call the MetadataAddress
endpoint and set that in the authentication scheme builder. 从理论上讲,您可以实现不调用
MetadataAddress
端点的IConfigurationManager<OpenIdConnectOptions>
,并在身份验证方案构建器中进行设置。
.AddOpenIdConnect("oidc", options =>
{
...
ConfigurationManager = myCustomConfigurationManager, //You would need to implement this
...
})
This is the culprit that's responsible for the call to the MetadataAddress
endpoint which by default is authorityUri + /.well_known/openid-configuration
. 这是导致对
MetadataAddress
端点的调用的罪魁祸首,默认情况下,该端点是authorityUri + /.well_known/openid-configuration
。
I would advise against doing so because in the end you will need the identity provider metadata information anyway so would have to snapshot and store it locally or something like that. 我建议不要这样做,因为最终您仍然需要身份提供者元数据信息,因此必须快照并将其存储在本地或类似的地方。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.