[英]The 'offline_access' scope is not allowed when using OpenIdDict
使用带有 Identity 和 OpenIdDict 的 Asp.Net Core 5.0 我有以下内容:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
我有以下客户:
OpenIddictApplicationDescriptor spa = new OpenIddictApplicationDescriptor {
ClientId = "spa",
ClientSecret = "secret",
ConsentType = OpenIddictConstants.ConsentTypes.Implicit,
PostLogoutRedirectUris = {
new Uri("https://localhost:5002/oidc-signout")
},
RedirectUris = {
new Uri("https://localhost:5002/oidc-signin"),
new Uri("https://localhost:5002/oidc-silent-refresh")
},
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.ResponseTypes.Code,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + "api"
},
Requirements = {
OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange
}
};
在 Angular Spa 客户端应用程序上,我使用了以下配置:
const settings: UserManagerSettings = {
automaticSilentRenew: true,
authority: "https://localhost:5000",
client_id: 'spa',
client_secret: 'secret',
filterProtocolClaims: true,
loadUserInfo: true,
post_logout_redirect_uri: "https://localhost:5002/oidc-signout",
redirect_uri: "https://localhost:5002/oidc-signin",
response_mode: 'query',
response_type: 'code',
scope: 'openid profile email offline_access api',
silent_redirect_uri: 'https://localhost:5002/oidc-silent-refresh'
};
当我点击 SPA 登录时,我被重定向并收到错误消息:
The 'offline_access' scope is not allowed.
如果我在没有“offline_access”的情况下使用它,那么一切正常,例如:
scope: 'openid profile email api'
我错过了什么?
在可以使用 offline_access 范围之前,应启用刷新令牌流。
在您的Startup.cs您应该更改这一行:
x.AllowAuthorizationCodeFlow();
变成这样:
x.AllowAuthorizationCodeFlow().AllowRefreshTokenFlow();
还有一个与您的问题相关的GitHub问题。
刷新令牌为空,AllowOfflineAccess为true,作用域我为offline_access
[英]Refresh Token is empty and AllowOfflineAccess is true and scope I have offline_access
如何使用 ASP.NET Core 中的 AddOpenIdConnect() 从 Google 请求离线访问权限?
[英]How to request offline_access from Google using .AddOpenIdConnect() in ASP.NET Core?
Blazor 服务器,API 与 OpenIdDict 并使用自省 - 如何处理访问令牌?
[英]Blazor Server, API with OpenIdDict and using introspection - What to do with the access token?
在 OpenIdDict 中使用客户端凭据时,指定的令牌无效是无效的
[英]The specified token is invalid is Invalid when using Client Credentials in OpenIdDict
OpenIddict:使用 AddDevelopmentSigningCertificate()
[英]OpenIddict: Using AddDevelopmentSigningCertificate()
使用openiddict时如何避免使用Microsoft的Microsoft.AspNet.Identity包
[英]How do I avoid using Microsofts's Microsoft.AspNet.Identity package when using openiddict
使用OpenIddict请求令牌时,如何添加要返回的自定义声明?
[英]How can I add custom claims to be returned when requesting a token using OpenIddict?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.