[英]IdentityServer4 API unauthorized to call introspection endpoint
我正在尝试设置和 IdentiyServer4,但我被困在授权:调用 /connect/introspect 端点给了我错误
IdentityServer4.Validation.ApiSecretValidator:错误:找不到具有该名称的 API 资源。 正在中止 IdentityServer4.Endpoints.IntrospectionEndpoint:错误:API 未经授权调用自省端点。 中止。 客户端是一个网络框架 4.7 MVc 并使用 IdentityServer3.AccesTokenValidation 包
这是我的身份服务器配置
internal class Resources
{
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource
{
Name = "role",
UserClaims = new List<string> {"role"}
}
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new[]
{
new ApiResource
{
Name = "electronicinvoice",
DisplayName = "electronicinvoice",
Description = "electronicinvoice",
Scopes = new List<string> { "electronicinvoice" },
ApiSecrets = new List<Secret> {new Secret("XXXXX".Sha256())},
UserClaims = new List<string> {"role"}
}
};
}
public static IEnumerable<ApiScope> GetApiScopes()
{
return new[]
{
new ApiScope("electronicinvoice", "Access to electronicinvoiceactive api"),
};
}
}
客户端:
internal class Clients
{
public static IEnumerable<Client> Get()
{
ICollection<string> allowed = GrantTypes.ClientCredentials.Union(GrantTypes.ResourceOwnerPassword).ToList();
return new List<Client>
{
new Client
{
ClientId = "SolutionUpdate",
ClientName = "Legal SolutionDOC client",
AllowedGrantTypes =allowed ,
ClientSecrets = new List<Secret> {new Secret("XXXXX".Sha256())},
AllowedScopes = new List<string> {"email","openid","profile","electronicinvoice" },
}
};
}
}
启动方法
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddInMemoryClients(Clients.Get())
.AddInMemoryIdentityResources(Resources.GetIdentityResources())
.AddInMemoryApiResources(Resources.GetApiResources())
.AddInMemoryApiScopes(Resources.GetApiScopes())
.AddDeveloperSigningCredential()
.AddProfileService<ProfileService>()
.AddCustomTokenRequestValidator<TokenRequestValidator>();
services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
services.AddTransient<IProfileService, ProfileService>();
}
还有,客户端配置
public void Configuration(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions()
{
Authority = "https://localhost:44389",
ClientId = "SolutionUpdate",
ClientSecret = "XXXXXX",
ValidationMode = ValidationMode.ValidationEndpoint
});
}
现在,我可以使用此方法成功获取有效令牌
var client = new TokenClient("https://localhost:44389/connect/token", "SolutionUpdate", "XXXXX");
var extra = new Dictionary<string, string> { { nameof(paramAuth.CustomerCode), paramAuth.ToJson() } };
var response = client.RequestClientCredentialsAsync("electronicinvoice" , extra).Result;
var token = response.AccessToken;
return Content(new DTO.GetTokenResponse { Token = token }.ToJson(), "application/json");
但我无法访问任何用 Authorize 属性修饰的方法。 我也试过像这样直接调用内省端点
var introspectionClient = new IntrospectionClient("https://localhost:44389/connect/introspect", "SolutionUpdate", "XXXXXX");
var response = introspectionClient.SendAsync(new IntrospectionRequest { Token = accessToken }).Result;
var isActive = response.IsActive;
var claims = response.Claims;
或来自邮递员,
POST /connect/introspect 授权:basic(带用户名和密码)和body Token = myaccesstoken
欢迎提出任何建议 Nb:我重新输入了我正在使用的密码,它们都是正确的
好的,我想通了:自省端点需要使用 Apiscope 凭据进行基本身份验证。 这种行为在 identityserver3 中可能不同,或者我在某处缺少配置。
所以我有 2 个解决方法: - 将 Apiscope 名称和密码更改为与 clientId 和密码相同 - 实现我自己的 AuthorizeAttribute,在这种情况下,我将调用自省端点并解析响应。 我可能会选择第二个,感觉不那么“hackish”,我担心第一个解决方法会在我设置令牌加密时给我带来问题
IdentityServer4 Introspection Endpoint API使用无效散列算法
[英]IdentityServer4 Introspection Endpoint API uses invalid hashing algorithm
identityserver4 RequestResourceOwnerPasswordAsync未经授权的客户端
[英]identityserver4 RequestResourceOwnerPasswordAsync unauthorized_client
如何通过自省验证 IdentityServer4 访问令牌
[英]How to validate IdentityServer4 access tokens through introspection
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.