stackoom
  简体   繁体   中英

The specified token is invalid is Invalid when using Client Credentials in OpenIdDict

 原文  2020-11-06 18:27:29       asp.net-core/ openiddict/ asp.net-core-5.0

Question

With Asp.Net Core 5 and OpenIdDict I have the configuration for Authorization Code and Client Credentials:

services.AddOpenIddict()
  
  .AddCore(x => {
    x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
  })

  .AddServer(x => {

    x.SetAuthorizationEndpointUris("/connect/authorize")
     .SetLogoutEndpointUris("/connect/logout")
     .SetTokenEndpointUris("/connect/token")
     .SetUserinfoEndpointUris("/connect/userinfo")
     .SetIntrospectionEndpointUris("/.well-known/openid-configuration");

    x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);

    x.AllowAuthorizationCodeFlow()
     .AllowRefreshTokenFlow()
     .AllowClientCredentialsFlow();

    x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();

    x.UseAspNetCore()
     .EnableAuthorizationEndpointPassthrough()
     .EnableLogoutEndpointPassthrough()
     .EnableTokenEndpointPassthrough()
     .EnableUserinfoEndpointPassthrough()
     .EnableStatusCodePagesIntegration();
    })

  .AddValidation(x => {
    x.UseLocalServer();
    x.UseAspNetCore();
  });

On the API I have:

 services.AddOpenIddict()
  .AddValidation(x => {
    x.SetIssuer("https://localhost:5000");
      x.AddAudiences("api");
      x.UseIntrospection().SetClientId("api").SetClientSecret("SecretAPI");
      x.UseSystemNetHttp();
      x.UseAspNetCore();
    });

Then I have the Client and the API applications:

  OpenIddictApplicationDescriptor mvc = new OpenIddictApplicationDescriptor {
    ClientId = "mvc",
    ClientSecret = "SecretMVC",
    ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
      Permissions = {
        OpenIddictConstants.Permissions.Endpoints.Token,
        OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,
        OpenIddictConstants.Permissions.Prefixes.Scope + "api"
      }
    };

      
  OpenIddictApplicationDescriptor api = new OpenIddictApplicationDescriptor {
    ClientId = "api",
    ClientSecret = "SecretAPI",
    Permissions = {
      OpenIddictConstants.Permissions.Endpoints.Introspection
    }
  };

I am able to get an Access token using Insomnia Rest Client and Client Credentials.

But when I call the API with the given access token I get the following error:

Bearer error = "invalid_token", error_description = "The specified token is invalid."

Why does this happen?

Update

On the logs I have the following:

[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+HandleErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext, OpenIddict.Validation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].

[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
An error occurred while introspecting the token.
OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the introspection response.
  Error: invalid_request
  Error description: The specified HTTP method is not valid.
  Error URI:
   at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass5_0.<<IntrospectTokenAsync>g__HandleIntrospectionResponseAsync|3>d.MoveNext()
--- End of stack trace from previous location ---
   at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
   at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
   at OpenIddict.Validation.OpenIddictValidationHandlers.IntrospectToken.HandleAsync(ProcessAuthenticationContext context)

[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.

1 answers

solution1
 2 ACCPTED  2020-11-08 17:12:19

You configured your introspection endpoint to share the same address as the OIDC provider configuration endpoint, which prevents introspection requests from being recognized as valid POST requests.

Fix SetIntrospectionEndpointUris("/.well-known/openid-configuration") to use a different address and it should work.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Openiddict can create token but seems to be invalid ADFS 4.0: Received invalid Client credentials Token with invalid signature in IdentityServer4 with client Angular How do I configure SwaggerGen with OpenIddict parameters for client credentials grant? Get Token by loging in with External Providers using OpenIddict How can I add custom claims to be returned when requesting a token using OpenIddict? Invalid Signature when generate bearer token “Invalid object name 'OpenIddictAuthorizations'.” - OpenIddict/.Net Core Identity Error Invalid Token - The audience 'empty' is invalid JWT token invalid token error using ASP.NET Core
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM