为什么IdentityServer4生成的访问令牌总是无效?
[英]Why is the access token generated by IdentityServer4 always invalid?
问题描述
I am trying to setup a fairly basic identity oAuth server using IdentityServer4 on asp.net core 3.1.
我正在尝试在 asp.net core 3.1 上使用 IdentityServer4 设置一个相当基本的身份 oAuth 服务器。 I've created a basic project and using inmemory configuration.我创建了一个基本项目并使用内存配置。
I can request and receive a bearer token (client credentials flow), but whenever I make an introspection call, I receive a 401 response.我可以请求和接收不记名令牌(客户端凭据流),但是每当我进行自省调用时,我都会收到 401 响应。 I suspect it has something to do with the token itself - trying to verify it using some of the online websites always seems to show an invalid token.我怀疑这与令牌本身有关 - 尝试使用某些在线网站验证它似乎总是显示无效令牌。
My code, Starup.cs:我的代码,Starup.cs:
services.AddIdentityServer()
.AddInMemoryApiScopes(InMemoryConfig.GetApiScopes())
.AddInMemoryApiResources(InMemoryConfig.GetApiResources())
.AddInMemoryIdentityResources(InMemoryConfig.GetIdentityResources())
.AddTestUsers(InMemoryConfig.GetUsers())
.AddInMemoryClients(InMemoryConfig.GetClients())
.AddDeveloperSigningCredential();
InMemoryConfig.cs: InMemoryConfig.cs:
public static IEnumerable<Client> GetClients() =>
new List<Client>
{
new Client
{
ClientId = "myclient",
ClientSecrets = new [] { new Secret("dev-$he turned me into a newt!".Sha512()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId,
"read",
"write",
"update",
"delete"}
}
};
public static IEnumerable<ApiScope> GetApiScopes() =>
new List<ApiScope> {
new ApiScope("read", "read data"),
new ApiScope("write", "write data"),
new ApiScope("update", "update data"),
new ApiScope("delete", "delete data")
};
public static IEnumerable<ApiResource> GetApiResources() =>
new List<ApiResource>
{
new ApiResource("partnerservices", "Partner Services")
{
ApiSecrets = new [] {new Secret("PSSecret")},
Scopes = { "read","write","update","delete"}
},
new ApiResource("coreservices", "Core Services")
{
Scopes = { "read","write","update","delete"}
},
new ApiResource("mysite", "My Site")
{
Scopes = { "read","write","update","delete"}
}
};
Here is the token I obtained:这是我获得的令牌:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwQkZDNjQ5NTM2NkU0NTc2NjlDNkEzN0VBOTczQjAwIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MDQ3MDA0NjAsImV4cCI6MTYwNDcwNDA2MCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMTEiLCJhdWQiOlsicGFydG5lcnNlcnZpY2VzIiwiY29yZXNlcnZpY2VzIiwibXlzaXRlIl0sImNsaWVudF9pZCI6Im15Y2xpZW50IiwianRpIjoiNjYyOTIzQjNGQkY4QzU4QTg2OTBCM0NFNjkxNzZFQTkiLCJpYXQiOjE2MDQ3MDA0NjAsInNjb3BlIjpbImRlbGV0ZSIsInJlYWQiLCJ1cGRhdGUiLCJ3cml0ZSJdfQ.Troia38tgbAR18VMC47UosniAVW8Iq6PwtksX2bOeEClm42_koYsw8_JBZ97i9nk5b9W0liGsQO0AEgukiNIDbeihHI4zMBGSM2y3ZJw-09g7mttbRVFIgPuD_4u7bJi57zZLTdAF6jg_9vxHhHbp2aAH7uXLMgsZB8qpCH9_hJnoxd5r8OKKFBL9wlOSYtnh-D8a0bKH_VnTZxn28Ozt4NJ06PxuqvcC_GEnAHmbSajeDGtPkIhvGhTU2Nd7nHtv9EvBoS__wXsvefgSpv-yCaGZMFc58Abv_LO_WqHsSTbl8eayk6ayoVShiWYh_5Ei5gVmcyCQAF1SO1X8qkGJw",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "delete read update write"
}
...and here is the public key info returned from "jwks_uri": "https://localhost:44311/.well-known/openid-configuration/jwks in my discover docs: ...这里是从“jwks_uri”返回的公钥信息:“https://localhost:44311/.well-known/openid-configuration/jwks 在我的发现文档中:
{"keys":[{"kty":"RSA","use":"sig","kid":"10BFC6495366E457669C6A37EA973B00","e":"AQAB","n":"0Zq2wamtiFtqhNNqlY4rYyC1nbO1hB1ztXIhYJc7tjhhpsyViXyWlKiD8cORmHieO8sH4ZSXCeQbYV7u1nXI7SG28ul9kozpUO7M9vf1nOv50o9mZg_BOyMFnTgcDMN6zjT1IWM9K5NY-2D7jSZvxQo4GNwWr2SpytRXLYAgWSHgj3wDarZIXfHKmIRSYvS8L6d_2G0dbxWD699VQMRz0WBjRR6qwhlXc4-4dSeBfvrioWf0DA6LD2NGNA1oP1XWuV_Htkh2Ay5Ck4AyUc3xbC4TVI3SpuhYMK_3zuHwmnzA1L4SyXnHG963hXpbDSUtu01i3YTK2v5MterR9PFWzQ","alg":"RS256"}]}
If you're still reading this, thanks already!如果您还在阅读本文,谢谢! The issue is that I cannot make a subsequent introspect call using that bearer token, nor can I validate that token using any of the online validators (eg jwt.io)问题是我无法使用该承载令牌进行后续内省调用,也无法使用任何在线验证器(例如 jwt.io)验证该令牌
What am I missing?我错过了什么?
for completeness, here is my introspect call:为了完整起见,这是我的自省电话:
> POST /connect/introspect HTTP/2
> Host: localhost:44311
> authorization: Basic ZXRyYWMtY2xhcmlmeTpldHJhY2Rldi0kaGUgdHVybmVkIG1lIGludG8gYSBuZXd0IQ==
> user-agent: insomnia/2020.4.2
> content-type: application/x-www-form-urlencoded
> accept: */*
> content-length: 796
| token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwQkZDNjQ5NTM2NkU0NTc2NjlDNkEzN0VBOTczQjAwIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MDQ2ODkxMTgsImV4cCI6MTYwNDY5MjcxOCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMTEiLCJhdWQiOlsiZXRyYWMtcGFydG5lcnNlcnZpY2VzIiwiZXRyYWMtY29yZXNlcnZpY2VzIiwiZXRyYWMtbGlua2QiXSwiY2xpZW50X2lkIjoiZXRyYWMtY2xhcmlmeSIsImp0aSI6IjNGQzQ0NzE4QTAyMzcyRUFBOUFDMDUzOEQyNjQyMDk5IiwiaWF0IjoxNjA0Njg5MTE4LCJzY29wZSI6WyJkZWxldGUiLCJyZWFkIiwidXBkYXRlIiwid3JpdGUiXX0.iDl8MEgqRcgFdg3T-rST9jTIxGJfwMtGQ-a6nSAxOadqs8P0EM_UcCYVwKhuzjNM4uORbrhsD5XDB2wMtgMEaSgNdKlH5NA2OTRkftFAKyii2M0ihQL06rN1KVURKySK4d38pezuQxZ48blDaro5ae8RUxMOkRlsPwX6e6LBKeJ2MkqmKcj6AJ1b0sDkJpdgagy4gjvBGWcQOAf_TuEobaWBEKEdzF_gM0a321PDFayCTuezc7bIYN5eq4VQL3-PINbOq72Cashjmi4BCNF0sV-gKq1blDMEZ6UcN-jGOUaaEtvh36H8bHw2H-mY1535tPpX4PzpE_zB6mtHvpJScA
2 个解决方案
解决方案1
1 2020-11-07 07:56:35
It all looks good, the code I use to make manual introspection calls looks like this below using the Flurl.Http NuGetp package:一切看起来都不错,我使用 Flurl.Http NuGetp 包进行手动自省调用的代码如下所示:
/// <summary>
/// Introspect an access token
/// </summary>
/// <param name="accessToken">The received access token</param>
/// <param name="apiName">The name of this API-Resource as defined in Identity Server</param>
/// <param name="apiSecret">the API secret as defined in the API-Resource</param>
private void IntrospectToken(string accessToken, string apiName, string apiSecret)
{
//Get the Introspection endpoint URL
var url = new Url(openIdConfig.IntrospectionEndpoint).WithBasicAuth(apiName, apiSecret);
var introspectionResult = url.PostUrlEncodedAsync(new
{
token = accessToken
}).ReceiveString().Result;
//Console.WriteLine("\r\nintrospection Result");
//Console.WriteLine(introspectionResult);
}
Perhaps it can give some clues?也许它可以提供一些线索?
解决方案2
0 2020-11-07 14:14:34
Regarding the validation with jwt.io.关于 jwt.io 的验证。 Actually the result is Signature Verified .实际上结果是Signature Verified 。 Most likely you entered the keys array, not the only element into the Public key field.很可能您输入了 keys 数组,而不是Public key字段中的唯一元素。
Next, you do not have to use introspection for JWTs.接下来,您不必对 JWT 使用自省。 They are for validation in place.它们用于就地验证。 Please read the first googled SO answer for more details.请阅读第一个谷歌搜索 SO 答案以获取更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.