OpenID Connect AllowedRedirectUris 为空,导致 IdentityServer4 上的“redirect_uri 无效”
[英]OpenID Connect AllowedRedirectUris empty resulting in “invalid redirect_uri” on IdentityServer4
问题描述
我在 .NET Core 项目上运行 IdentityServer4,并且我正在尝试使现有的 .NET Framework Web 应用程序成为该服务器的客户端。
该项目正在使用Microsoft.Owin.Security ,并且在Startup.cs我设置了身份验证设置。
但是,当请求发送到 IdentityServer 时, AllowedRedirectUris参数只是一个空数组,因此RedirectUri参数与该空数组中的参数不匹配,从而导致invalid redirect_uri错误。
这是现有项目的Startup.cs :
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
namespace MyProject.Services
{
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
RequireHttpsMetadata = false,
AuthenticationType = "oidc",
SignInAsAuthenticationType = "Cookies",
Authority = "http://localhost:5000",
RedirectUri = "http://localhost:8010/myproject.services/api/oidc",
PostLogoutRedirectUri = "http://localhost:8010/myproject.application",
ClientId = "CLIENT1",
ClientSecret = "a-local-testing-password",
Scope = "CLIENT1 offline_access",
ResponseType = "code id_token"
});
}
}
}
这是从日志中找到的配置生成的请求:
IdentityServer4.Endpoints.AuthorizeEndpoint[0]
{
"ClientId": "CLIENT1",
"ClientName": "CLIENT1_name",
"RedirectUri": "http://localhost:8010/myproject.services/api/oidc",
"AllowedRedirectUris": [], <-- is empty, but should contain the RedirectUri
"SubjectId": "anonymous",
"RequestedScopes": "",
"Raw": {
"client_id": "CLIENT1",
"redirect_uri": "http://localhost:8010/myproject.services/api/oidc",
"response_mode": "form_post",
"response_type": "code id_token",
"scope": "openid profile",
"state": "OpenIdConnect.AuthenticationProperties=[...]",
"nonce": "[...]",
"x-client-SKU": "ID_NET451",
"x-client-ver": "5.2.1.0"
}
}
那么有人知道如何让AllowedRedirectUris包含给定的RedirectUri以便我的 IdentityServer4 接受请求吗?
更新:这是 IdentityServer4 项目中的客户端对象:
new IdentityServer4.Models.Client
{
ClientId = "CLIENT1",
ClientName = "CLIENT1-name",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new IdentityServer4.Models.Secret("a-local-testing-password".Sha256())
},
RedirectUris = { "http://localhost:8010/myproject.services/api/oidc" },
PostLogoutRedirectUris = { "http://localhost:8010/myproject.application" },
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
AllowedScopes = {
"CLIENT1"
},
Properties = new Dictionary<string, string>
{
{ "TenantName", "CLIENT1" },
{ "ImageUrl", "/Images/CLIENT1.png" },
},
IdentityProviderRestrictions = {
"LocalOnly"
},
AllowOfflineAccess = true
},
Update2 :这是 IdentityServer4 的Startup.cs :
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using MyProject.STS4.ManagementSite.Data;
using MyProject.STS4.ManagementSite.Models;
using MyProject.STS4.ManagementSite.Services;
using MyProject.STS4.ManagementSite.Tenant;
using IdentityServer4.Services;
using Microsoft.Extensions.DependencyInjection.Extensions;
using System.Reflection;
using IdentityServer4.EntityFramework.DbContexts;
using IdentityServer4.EntityFramework.Mappers;
using Microsoft.IdentityModel.Tokens;
using IdentityServer4;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using System.Globalization;
using System.Security.Claims;
using MyProject.STS4.ManagementSite.Models.Mail;
namespace MyProject.STS4.ManagementSite
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Read this part of the appsettings.json and convert it into the SmtpConfig
services.Configure<SmtpConfig>(Configuration.GetSection("Smtp"));
string connectionString = Configuration.GetConnectionString("DefaultConnection");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"),
sqlOptions => sqlOptions.MigrationsAssembly(migrationsAssembly)
));
// Explicitly added
//services.TryAddScoped<IUserClaimsPrincipalFactory<TenantUser>, UserClaimsPrincipalFactory<TenantUser, IdentityRole>>();
services.AddIdentity<TenantUser, IdentityRole>(options =>
{
// This should send a mail when registering
options.SignIn.RequireConfirmedEmail = false;
options.User.RequireUniqueEmail = false;
// Allows emails toe be used in the username
options.User.AllowedUserNameCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+";
})
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddUserValidator<TenantUserValidator>(); // register our own validator
// Add application services.
services.AddTransient<IEmailSender, EmailSender>();
services.AddMvc();
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddAspNetIdentity<TenantUser>()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
});
// Add the possible authentication methods
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.ClientId = "[...]";
options.ClientSecret = "[...]";
})
.AddOpenIdConnect("oidc", "OpenID Connect", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "http://localhost:5000/";
options.RequireHttpsMetadata = false;
options.ClientId = "implicit";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
// This is still to test Azure Auth
//.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
//{
// ClientId = Configuration["AzureAD:ClientId"],
// Authority = string.Format(CultureInfo.InvariantCulture, Configuration["AzureAd:AadInstance"], "common", "/v2.0"),
// ResponseType = OpenIdConnectResponseType.IdToken,
// Events = new OpenIdConnectEvents
// {
// OnTokenValidated = TokenValidated
// },
// TokenValidationParameters = new TokenValidationParameters
// {
// // Instead of using the default validation (validating against
// // a single issuer value, as we do in line of business apps),
// // we inject our own multitenant validation logic
// ValidateIssuer = false,
// NameClaimType = "name"
// }
//}
//);
// Registering this service allows for checking if user is active and enhancing the user with extra data (such as the claims)
services.AddTransient<IProfileService, TenantUserProfileService>();
}
private Task TokenValidated(TokenValidatedContext context)
{
/* ---------------------
// Replace this with your logic to validate the issuer/tenant
---------------------
// Retriever caller data from the incoming principal
string issuer = context.SecurityToken.Issuer;
string subject = context.SecurityToken.Subject;
string tenantID = context.Ticket.Principal.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// Build a dictionary of approved tenants
IEnumerable<string> approvedTenantIds = new List<string>
{
"<Your tenantID>",
"9188040d-6c67-4c5b-b112-36a304b66dad" // MSA Tenant
};
o
if (!approvedTenantIds.Contains(tenantID))
throw new SecurityTokenValidationException();
--------------------- */
var claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
//add your custom claims here
claimsIdentity.AddClaim(new Claim("test", "helloworld!!!"));
return Task.FromResult(0);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
// this will do the initial DB population
SeedData.EnsureSeedData(app.ApplicationServices);
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
// app.UseAuthentication(); // not needed, since UseIdentityServer adds the authentication middleware
app.UseIdentityServer();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
}
1 个解决方案
解决方案1
0 已采纳 2018-07-27 09:35:53
IdentityServer4 项目创建了数据库,但配置使服务器使用内存数据而不是数据库数据。 所以内存中的数据没有更新的值......
为什么Live Connect SignInButton失败并带有无效的redirect_uri?
[英]Why does the Live Connect SignInButton fail with an invalid redirect_uri?
Identityserver4 / OpenId Connect,混合模式,令牌刷新失败
[英]Identityserver4/OpenId Connect, Hybrid mode, Token Refresh Fails
OpenID可以从客户端而不是内部生成IdentityServer4请求令牌中的Connect吗?
[英]Can OpenID Connect in IdentityServer4 Request Tokens from Client rather than generate internally?
IdentityServer4和ASP.NET MVC(.NET 4.6.2)之间的OpenID连接
[英]OpenID connect between IdentityServer4 and ASP.NET MVC (.NET 4.6.2)
如何在ASP.NET WEB API中验证由identityserver4生成的OpenID Connect访问令牌
[英]How to Validate OpenID Connect Access Token generated by identityserver4 in ASP.NET WEB API
IdentityServer4 登录用户在客户端应用程序中使用 OpenID Connect 事件进行验证
[英]IdentityServer4 Login user validate in Client application using OpenID Connect Events
如何使用openid连接混合流来代表用户(IdentityServer4 Asp.Net Core 2.0)调用Api?
[英]How to us openid connect hybrid flow to call an Api on behalf of user (IdentityServer4 Asp.Net Core 2.0)?
IIS 反向代理背后的 WebApp 在通过 OIDC 对外部 IdentityServer 进行身份验证时设置了错误的 signin_oidc redirect_uri
[英]WebApp behind IIS reverse proxy sets wrong signin_oidc redirect_uri while authenticating against external IdentityServer via OIDC
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
无效的 redirect_uri IdentityServer4 和 AppAuth
IdentityServer4 无效的 Redirect_Uri 错误
为什么Live Connect SignInButton失败并带有无效的redirect_uri?
Identityserver4 / OpenId Connect,混合模式,令牌刷新失败
OpenID可以从客户端而不是内部生成IdentityServer4请求令牌中的Connect吗?
IdentityServer4和ASP.NET MVC(.NET 4.6.2)之间的OpenID连接
如何在ASP.NET WEB API中验证由identityserver4生成的OpenID Connect访问令牌
IdentityServer4 登录用户在客户端应用程序中使用 OpenID Connect 事件进行验证
如何使用openid连接混合流来代表用户(IdentityServer4 Asp.Net Core 2.0)调用Api?
IIS 反向代理背后的 WebApp 在通过 OIDC 对外部 IdentityServer 进行身份验证时设置了错误的 signin_oidc redirect_uri
相关标签