[英]Invalid token provided in oidc-provider accessing UserInfo enpoint
I started using OAuth2 server with oidc in node js.我开始在 node js 中使用带有 oidc 的 OAuth2 服务器。 Github link Github 链接
My goal is simple, to access https://myserver/me which is UserInfo endpoint.我的目标很简单,访问 https://myserver/me 这是 UserInfo 端点。
While trying to learn how to use the server I also used this guide enter link description here Where I found that I could create token by sending request to endpoint /token.在尝试学习如何使用服务器的同时,我还使用了本指南在此处输入链接描述我发现我可以通过向端点 /token 发送请求来创建令牌。
Into the configuration I added this code(full server code is below):在配置中我添加了这个代码(完整的服务器代码如下):
{
client_id: 'test_oauth_app',
client_secret: 'super_secret',
grant_types: ['client_credentials'],
redirect_uris: [],
response_types: [],
}
In postman I was able to get my the access_token by this request在邮递员中,我能够通过此请求获得我的 access_token
POST /token
Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdF9vYXV0aF9hcHA6c3VwZXJfc2VjcmV0
Body:
grant_type=client_credentials&scopes=api1
I get this as a response:我得到这个作为回应:
{
"access_token": "zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws",
"expires_in": 600,
"token_type": "Bearer"
}
When I checked the token by /token/introspection I found out that the token equals to jti.当我通过 /token/introspection 检查令牌时,我发现该令牌等于 jti。 So I think it actually returns token_id and by that I cannot access /me endpoint.所以我认为它实际上返回了 token_id 并且因此我无法访问 /me 端点。
Here is the whole sample of server that I use:这是我使用的整个服务器示例:
const { Provider } = require('oidc-provider');
const configuration = {
features: {
introspection: { enabled: true },
clientCredentials: { enabled: true },
userinfo: { enabled: true },
jwtUserinfo: { enabled: true },
},
formats: {
AccessToken: 'jwt',
},
clients: [{
client_id: 'test_oauth_app',
client_secret: 'super_secret',
grant_types: ['client_credentials'],
redirect_uris: [],
response_types: []
}],
scopes: ['api1']
};
const oidc = new Provider('http://localhost:3000', configuration);
oidc.proxy = true
// express/nodejs style application callback (req, res, next) for use with express apps, see /examples/express.js
oidc.callback
// koa application for use with koa apps, see /examples/koa.js
oidc.app
// or just expose a server standalone, see /examples/standalone.js
const server = oidc.listen(3000, () => {
console.log('oidc-provider listening on port 3000, check https://localhost:3000/.well-known/openid-configuration');
});
The proxy is set to true because I have https set up on apache redirecting to this server.代理设置为 true 是因为我在 apache 上设置了 https 重定向到此服务器。
I tried to change response_types, but than it required redirect_uri which I do not want to have in my scenario.我试图更改 response_types,但它需要我不希望在我的场景中使用的 redirect_uri。
Here is the request I am trying to post it like so:这是我试图像这样发布它的请求:
POST /me
Headers:
Content-Type: application/json
Authorization: Bearer zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws
The response:响应:
{
"error": "invalid_token",
"error_description": "invalid token provided"
}
Did anyone have a similar problem?有没有人有类似的问题? I found almost the same problem here but with no solution, unfortunately.不幸的是,我在这里发现了几乎相同的问题,但没有解决方案。
In case someone encounters the same problem.如果有人遇到同样的问题。 I was able to solve it.我能够解决它。
I did not have enough information and I did not know what client_credentials grant type does.我没有足够的信息,也不知道 client_credentials 授予类型的作用。
It actually does not authorize the user, but rather some app.它实际上并不授权用户,而是一些应用程序。 So you have no info about the user, hence you cannot get data about the user through the userinfo endpoint.因此您没有关于用户的信息,因此您无法通过 userinfo 端点获取有关用户的数据。
So if you want to get info about the user, you probably want to use grant type authorization_code.因此,如果您想获取有关用户的信息,您可能需要使用授权类型 authorization_code。
I found a page where a lot of things is written pretty clearly, so if you are starting with OAuth server you might want to give this a try.我找到了一个页面,其中很多内容都写得很清楚,所以如果您从 OAuth 服务器开始,您可能想尝试一下。 https://oauth2.thephpleague.com/authorization-server/auth-code-grant/ https://oauth2.thephpleague.com/authorization-server/auth-code-grant/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.