使用 okta 身份验证打开身份验证自省

Question

I am trying to introspect token recieved from okta inside .net core api, but keep getting "token is not active".我正在尝试反省从 .net 核心 api 内部的 okta 收到的令牌，但不断收到“令牌未激活”。 With the setup you see bellow I am able to retrieve identity from token.(basic okta auth schema)通过下面的设置，我可以从令牌中检索身份。（基本的 okta 身份验证模式）

service.AddAuthentication(options =>
  {
   options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;         
   options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
   options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
   })
   .AddOktaWebApi(new OktaWebApiOptions()
   {
   OktaDomain = configuration["Authentication:Okta:OktaDomain"],
   AuthorizationServerId = configuration["Authentication:Okta:AuthorizationServerId"],
   Audience = configuration["Authentication:Okta:Audience"]});

But I need to set up authentication with "Introspection" schema here is my configuration:但我需要使用“内省”模式设置身份验证，这是我的配置：

service.AddAuthentication(auth =>     
    {
     auth.DefaultAuthenticateScheme = "Introspection";
       auth.DefaultChallengeScheme = "Introspection";
       auth.DefaultSignInScheme = "Introspection";
       })
       .AddOAuth2Introspection("Introspection", options =>
       {
       options.Authority = configuration["Authentication:Okta:Authority"];
       options.ClientId = configuration["Authentication:Okta:ClientId"];     
       options.TokenRetriever = request =>
    
       {
       string token = "";                
       if (request.Headers.ContainsKey("Authorization"))
       {                
        var parts = request.Headers["Authorization"].ToString().Split(" ");
        token = parts[1];
        return token;
       }
            if (request.Query.ContainsKey("access_token"))
            {
                token = request.Query["access_token"];
            }
            if (request.Cookies.ContainsKey("access_token"))
            {
                token = request.Cookies["access_token"];
            }
            return token;
        };
    });

Does anyone know what could be the reason?有谁知道可能是什么原因？

Answer 1

Okay, I`v found the problem but have no idea how to solve it for now, so the auth handler on back makes a request by wrong url, it does not specify default as query param.好的，我找到了问题，但现在不知道如何解决，所以后面的 auth 处理程序通过错误的 url 发出请求，它没有将默认值指定为查询参数。 It should be like this: https://domain/oauth2/default/v1/introspect But instead it looks like this: https://domain/oauth2/v1/introspect它应该是这样的：https://domain/oauth2/default/v1/introspect 但它看起来像这样：https://domain/oauth2/v1/introspect

Answer 2

I found the solution.我找到了解决方案。 There is a IntrospectionEndpoint property on IntrospectionOptions where you can specify full path including the authenticationServerID. IntrospectionOptions 上有一个IntrospectionEndpoint属性，您可以在其中指定包括 authenticationServerID 在内的完整路径。 Also need to add that for some authServer there no authServID at all and you can use authority where you just specifying domain( https://domain) and all the rest is done by introspectionHandler还需要补充一点，对于某些 authServer，根本没有 authServID，您可以使用仅指定域（https://domain）的权限，并且所有 rest 都由 introspectionHandler 完成

使用 okta 身份验证打开身份验证自省

问题描述

1 个解决方案

解决方案1
0 2022-09-24 19:26:23

解决方案2
0 2022-09-24 20:23:06

使用 okta 身份验证打开身份验证自省

问题描述

1 个解决方案

解决方案1 0 2022-09-24 19:26:23

解决方案2 0 2022-09-24 20:23:06

解决方案1
0 2022-09-24 19:26:23

解决方案2
0 2022-09-24 20:23:06