[英]Trouble authorizing .NET 5 Web API reference tokens to IdentityServer3 using IdentityServer4.AccessTokenValidation package
Using IdentityServer3 for client/application authorization.使用 IdentityServer3 进行客户端/应用程序授权。
Using IdentityAdmin to edit clients/scopes via GUI.使用 IdentityAdmin 通过 GUI 编辑客户端/范围。
Created a new Client for the API, added a SharedSecret and api scope.为 API 创建了一个新客户端,添加了 SharedSecret 和 api 范围。
Has 2 GET endpoints.有 2 个 GET 端点。
Uses the IdentityServer4.AccessTokenValidation NuGet package.使用 IdentityServer4.AccessTokenValidation NuGet 包。
Configuration should be simple:配置应该很简单:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers(c => {
var policy = ScopePolicy.Create("api");
c.Filters.Add(new AuthorizeFilter(policy));
});
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options => {
options.Authority = "{base url of identity server}";
options.ApiName = ""; // not sure what this is? client id from identity server?
options.ApiSecret = ""; // should this be the hashed password?
options.LegacyAudienceValidation = true;
});
services.AddSwaggerGen(c => {
c.SwaggerDoc("v1", new OpenApiInfo { Title = "MarvalAPI", Version = "v1" });
});
RegisterServices(services);
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment()) {
app.UseDeveloperExceptionPage();
app.UseSwagger();
app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "MarvalAPI v1"));
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication(); //this is added, everything else is by default
app.UseAuthorization();
app.UseEndpoints(endpoints => {
endpoints.MapControllers();
});
}
Testing:测试:
Things I have tried:我尝试过的事情:
I am at a loss here, am I doing something totally wrong?我在这里不知所措,我做错了什么吗? Is this just a compatibility issue?
这只是兼容性问题吗? Or am I just not understanding anything at all?
还是我根本就什么都不懂? Seems like clear documentation is scarce and users have to draw out information.
似乎缺乏清晰的文档,用户必须提取信息。
https://github.com/IdentityServer/CrossVersionIntegrationTests/blob/main/src/CoreApiIdSrv3/Startup.cs https://github.com/IdentityServer/CrossVersionIntegrationTests/blob/main/src/CoreApiIdSrv3/Startup.cs
https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation
IdentityServer3 documentation IdentityServer3 文档
SO / github/identityserver3 threads. SO / github/identityserver3 线程。
Well, some time after making this post I figured it out.好吧,发表这篇文章一段时间后,我想通了。
options.ApiName = "";
options.ApiSecret = "";
ApiName is the name of the scope which the client uses, so it this case the value should be api . ApiName是客户端使用的范围的名称,因此在这种情况下,该值应为api 。
ApiSecret is the PRE-HASHED value of the scope secret . ApiSecret是范围 secret的PRE-HASHED值。
eg if secret value is "test" and it's SHA256 value is 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08, then ApiSecret value should be test例如,如果秘密值是“测试”并且它的 SHA256 值是 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08,那么ApiSecret值应该是测试
So, after figuring this out, the above options config should look like this:因此,在弄清楚这一点之后,上面的选项配置应该是这样的:
options.ApiName = "api";
options.ApiSecret = "test";
Note: SHA512 works as well.注意: SHA512 也适用。
To me this seems like a major naming issue.对我来说,这似乎是一个主要的命名问题。
I solved this after analysing this VS solution:我在分析了这个 VS 解决方案后解决了这个问题:
https://github.com/IdentityServer/CrossVersionIntegrationTests https://github.com/IdentityServer/CrossVersionIntegrationTests
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.