Identity Server 4 无法验证我的访问令牌
[英]Identity Server 4 Cant Validate My Access Token
问题描述
I am using Asp.net Core 3.1 Web Api For Generate Api And Use Identity Server 4(3.1.2) With asp.net identity core In Same Project(Both In One Project) To Authenticate User.
我正在使用 Asp.net Core 3.1 Web Api 生成 Api 并使用 Identity Server 4(3.1.2) 和 asp.net 同一项目中的身份核心(都在一个项目中)对用户进行身份验证。 Identity Server 4 Generate Access Token But When Call Api With Postman,EveryTime Return 401. This is my Identity Server 4 Config: Identity Server 4 生成访问令牌但是当使用 Postman 调用 Api 时,每次都返回 401。这是我的 Identity Server 4 配置:
"IdentityServerSetting": {
"IdentityServerAuthority": "https://localhost:5000",
"IdentityResources": [
"openID"
],
"ApiResources": [
{
"Name": "MadPay",
"DisplayName": "MadPay Api",
"UserClaims": [
"name",
"Email"
]
}
],
"Client": [
{
"AccessTokenLifeTime": 3600,
"AllowedGrantTypes": "password",
"ClientId": "angular",
"AlwaysIncludeUserClaimsInIdToken": "true",
"AlwaysSendClientClaims": "true",
"AllowCorsOrigins": [ "https://localhost:5000" ],
"RequireClientSecret": "false",
"AllowedScopes": [ "OpenId", "MadPay" ],
"AllowOfflineAccess": "true"
}
]
}
This Is My ConfigureService这是我的配置服务
public void ConfigureServices(IServiceCollection services)
{
services.Configure<JwtConfig>(_configuration.GetSection(nameof(JwtConfig)));
services.Configure<IdentityServerSetting>(_configuration.GetSection(nameof(IdentityServerSetting)));
services.AddScoped<IUnitOfWork, UnitOfWork<ApplicationDBContext>>();
services.AddMapperConfigurations();
services.AddServices();
services.AddDbContext<ApplicationDBContext>(opt =>
{
opt.UseSqlServer(_configuration.GetConnectionString("ApplicationConnection"));
});
services.AddMvcCore(opt => opt.EnableEndpointRouting = false)
.SetCompatibilityVersion(CompatibilityVersion.Version_3_0)
.AddAuthorization()
.AddNewtonsoftJson(options =>
options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);
services.AddResponseCaching();
services.AddIdentityServerConfig(_identityServerSetting);
services.AddApiAuthorization();
services.AddCors();
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.Configure<ApiBehaviorOptions>(options =>
{
options.SuppressModelStateInvalidFilter = true;
});
}
This Is My Configure这是我的配置
public void Configure(IApplicationBuilder app, IHostEnvironment env)
{
IdentityModelEventSource.ShowPII = true;
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
//app.UseHsts();
app.UseCors(i => i.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
app.AddExceptionHandling();
app.UseResponseCaching();
app.UseIdentityServer();
app.UseHttpContext();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "api/{controller}/{action}/{id?}");
});
}
AddApiAuthorization Fuction AddApiAuthorization 函数
public static void AddApiAuthorization(this IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.Authority = "https://localhost:5000";
opt.RequireHttpsMetadata = false;
//opt.Audience = "MadPay";
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
services.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();
services.AddAuthorization(option =>
option.AddPolicy("Permission", builder =>
builder.AddRequirements(new PermissionRequirement()).RequireAuthenticatedUser()
)
);
}
AddIdentityServerConfig Fuction AddIdentityServerConfig 函数
public static void AddIdentityServerConfig(this IServiceCollection services, IdentityServerSetting config)
{
var finalConfig = MapJsonToConfig(config);
services.AddIdentity<User, Role>(opt =>
{
opt.Password.RequireLowercase = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireNonAlphanumeric = false;
opt.User.RequireUniqueEmail = true;
opt.SignIn.RequireConfirmedAccount = true;
opt.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<ApplicationDBContext>()
.AddUserManager<AppUserManager>()
//.AddSignInManager<AppSignInManager>()
.AddErrorDescriber<AppErrorDescriberService>()
.AddDefaultTokenProviders();
services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(finalConfig.IdentityResources)
.AddInMemoryApiResources(finalConfig.Apis)
.AddInMemoryClients(finalConfig.Clients)
.AddAspNetIdentity<User>()
.AddResourceOwnerValidator<AppIdentityPasswordValidator<User>>();
}
This is My Paload from access token这是来自访问令牌的我的负载
{
"nbf": 1597823415,
"exp": 1597827015,
"iss": "https://localhost:5000",
"aud": "MadPay",
"client_id": "angular",
"sub": "1",
"auth_time": 1597823413,
"idp": "local",
"name": "osali",
"scope": [
"MadPay",
"offline_access"
],
"amr": [
"pwd"
]
}
And For Call Api Use This url: https://localhost:5000/... And Send Token in Authorization Header: Bearer....对于呼叫 Api,请使用此 url: https://localhost:5000/... 并在授权中发送令牌 Header: Bearer...
i think Issued access token is not a problem.我认为 Issued access token 不是问题。 I spent a few days And Cant Understand Why is not working and very confused what is wrong!!我花了几天时间,无法理解为什么不工作,很困惑哪里出了问题!!
2 个解决方案
解决方案1
4 2020-08-19 08:10:49
You could set all the token validation parameters to false, and then enable them one by one, to see what triggers the error.您可以将所有令牌验证参数设置为 false,然后将它们一一启用,以查看触发错误的原因。
options.TokenValidationParameters.ValidateAudience = false;
options.TokenValidationParameters.ValidateIssuer = false;
options.TokenValidationParameters.ValidateIssuerSigningKey = false;
options.TokenValidationParameters.ValidateLifetime = false;
options.TokenValidationParameters.ValidateTokenReplay = false;
You can also try to enable the following and check the response from the API in postman or Fiddler.您也可以尝试启用以下并在 postman 或 Fiddler 中查看 API 的响应。
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
How is the API Controllers protected? API 控制器如何受到保护? Do you use any authorization policies?您是否使用任何授权策略?
In your API startup you should not use IdentityServer, instead you should use the AddMyJwtBearer method.在您的 API 启动中,您不应使用 IdentityServer,而应使用 AddMyJwtBearer 方法。 and in your configure method you should use:在你的配置方法中你应该使用:
app.UseAuthentication();
app.UseAuthorization();
Here's a sample startup.cs class for a typical API:这是典型的 API 的示例 startup.cs class:
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMyJwtBearer(options =>
{
options.Audience = "payment";
options.Authority = "https://localhost:6001/";
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
//If the signing key is not found, do a refresh from the JWKS endpoint
//This allows for automatic recovery in the event of a key rollover
options.RefreshOnIssuerKeyNotFound = true;
//Gets or sets if HTTPS is required for the metadata address or authority.
//Should always be true in production!
options.RequireHttpsMetadata = true;
//True if the token should be stored in the AuthenticationProperties
//after a successful authorization.
options.SaveToken = true;
//Parameters
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(5);
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
解决方案2
0 2020-08-19 14:16:37
you are missing below:-您在下面缺少:-
app.UseAuthentication();
app.UseAuthorization();
can you add above in the startup.cs Configure method in api and give it a try?能不能在api的startup.cs Configure方法中加上上面试试看?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.