asp.net 内核与 azure 通过 oAuth devops 集成的示例

Question

我正在尝试使用 oauth 来促进 asp.net 核心应用程序的集成并在 Azure DevOps 中提交错误。 I followed the guide: https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops using the asp.net core 3.0 middleware to configure oauth.

当我点击一个标有 [Authorize] 的页面时，它会正确地将我重定向到具有我请求的范围的 devops auth 页面，但是当我授权时，它会将我重定向回我的服务器但出现错误：

{"Error":"invalid_client","ErrorDescription":"无效的客户端身份验证令牌。"}

我已经确认我在我的配置中使用了正确的端点和正确的客户端密码。

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = "ado";
        })
    .AddCookie()
    .AddOAuth("ado", options =>
    {
        options.ClientId = "[AppId from devops]";
        options.ClientSecret = "[Client Secret from devops]";
        options.CallbackPath = new PathString("/signin-ado");

        options.AuthorizationEndpoint = "https://app.vssps.visualstudio.com/oauth2/authorize";
        options.TokenEndpoint = "https://app.vssps.visualstudio.com/oauth2/token";

        options.Scope.Add("vso.identity");
        options.Scope.Add("vso.work_full");

        options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "UserId");
        options.ClaimActions.MapJsonKey(ClaimTypes.Email, "EmailAddress", ClaimValueTypes.Email);
        options.ClaimActions.MapJsonKey(ClaimTypes.Name, "Name");
    });

        services.AddControllersWithViews();

配置：

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });

我发现使用 oAuth 和 devops 的示例来自 Asp.Net 网络表单，是否有 asp.net 核心？

（这是完整的错误）

An unhandled exception occurred while processing the request.
Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Set-Cookie: VstsSession=%7B%22PersistentSessionId%22%3A%22f8e30b87-a6eb-470d-9ea2-ddf7b1f0dd84%22%2C%22PendingAuthenticationSessionId%22%3A%2200000000-0000-0000-0000-000000000000%22%2C%22CurrentAuthenticationSessionId%22%3A%2200000000-0000-0000-0000-000000000000%22%7D; domain=.visualstudio.com; expires=Mon, 16-Sep-2024 22:38:25 GMT; path=/; secure; HttpOnly
X-TFS-ProcessId: 98486e68-ccc8-4bc2-9907-f44cec26922a
Strict-Transport-Security: max-age=31536000; includeSubDomains
ActivityId: b0088e1b-d2d0-4788-8328-d97aeeecb447
X-TFS-Session: b0088e1b-d2d0-4788-8328-d97aeeecb447
X-VSS-E2EID: b0088e1b-d2d0-4788-8328-d97aeeecb447
Request-Context: appId=cid-v1:20b3930f-73dc-453a-b660-e3891d782eef
Access-Control-Expose-Headers: Request-Context
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 9DC5A709B96D4D838858E4FC56797DE4 Ref B: WSTEDGE1017 Ref C: 2019-09-18T22:38:25Z
Date: Wed, 18 Sep 2019 22:38:24 GMT
;Body: {"Error":"invalid_client","ErrorDescription":"Invalid client auth token."};
Unknown location

Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

Answer 1

如果您的授权代码发布是通过 url 编码的查询字符串完成的，您可以尝试通过请求正文完成它。 您可以在此处参考示例。

Answer 2

问题在于 OAuthHandler 中用于交换令牌授权码的参数与 Azure devops auth 示例中使用的参数不同。

https://github.com/aspnet/AspNetCore/blob/master/src/Security/Authentication/OAuth/src/OAuthHandler.cs ，第 179 行

https://github.com/microsoft/azure-devops-auth-samples/blob/master/OAuthWebSample/OAuthWebSample/Controllers/OAuthController.cs ，第 74 行

您可以通过创建自己的处理程序来解决此问题，该处理程序继承自 OAuthHandler 并覆盖 ExchangeCodeAsync 方法以使用示例中的参数。