为什么IdentityServer4生成的访问令牌总是无效？

Question

我正在尝试在 asp.net core 3.1 上使用 IdentityServer4 设置一个相当基本的身份 oAuth 服务器。 我创建了一个基本项目并使用内存配置。

我可以请求和接收不记名令牌（客户端凭据流），但是每当我进行自省调用时，我都会收到 401 响应。 我怀疑这与令牌本身有关 - 尝试使用某些在线网站验证它似乎总是显示无效令牌。

我的代码，Starup.cs：

            services.AddIdentityServer()
                .AddInMemoryApiScopes(InMemoryConfig.GetApiScopes())
                .AddInMemoryApiResources(InMemoryConfig.GetApiResources())
                .AddInMemoryIdentityResources(InMemoryConfig.GetIdentityResources())
                .AddTestUsers(InMemoryConfig.GetUsers())
                .AddInMemoryClients(InMemoryConfig.GetClients())
                .AddDeveloperSigningCredential(); 

InMemoryConfig.cs：

        public static IEnumerable<Client> GetClients() =>
            new List<Client>
            {
               new Client
               {
                    ClientId = "myclient",
                    ClientSecrets = new [] { new Secret("dev-$he turned me into a newt!".Sha512()) },
                    AllowedGrantTypes = GrantTypes.ClientCredentials,
                    AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId,
                        "read",
                        "write",
                        "update",
                        "delete"}
                }
            };


        public static IEnumerable<ApiScope> GetApiScopes() =>
            new List<ApiScope> { 
                new ApiScope("read", "read data"),
                new ApiScope("write", "write data"),
                new ApiScope("update", "update data"),
                new ApiScope("delete", "delete data")
            };

        public static IEnumerable<ApiResource> GetApiResources() =>
            new List<ApiResource>
            {
                new ApiResource("partnerservices", "Partner Services")
                {
                    ApiSecrets = new [] {new Secret("PSSecret")},
                    Scopes = { "read","write","update","delete"}
                },
                new ApiResource("coreservices", "Core Services")
                {
                    Scopes = { "read","write","update","delete"}
                },
                new ApiResource("mysite", "My Site")
                {
                    Scopes = { "read","write","update","delete"}
                }

            };

这是我获得的令牌：

{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwQkZDNjQ5NTM2NkU0NTc2NjlDNkEzN0VBOTczQjAwIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MDQ3MDA0NjAsImV4cCI6MTYwNDcwNDA2MCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMTEiLCJhdWQiOlsicGFydG5lcnNlcnZpY2VzIiwiY29yZXNlcnZpY2VzIiwibXlzaXRlIl0sImNsaWVudF9pZCI6Im15Y2xpZW50IiwianRpIjoiNjYyOTIzQjNGQkY4QzU4QTg2OTBCM0NFNjkxNzZFQTkiLCJpYXQiOjE2MDQ3MDA0NjAsInNjb3BlIjpbImRlbGV0ZSIsInJlYWQiLCJ1cGRhdGUiLCJ3cml0ZSJdfQ.Troia38tgbAR18VMC47UosniAVW8Iq6PwtksX2bOeEClm42_koYsw8_JBZ97i9nk5b9W0liGsQO0AEgukiNIDbeihHI4zMBGSM2y3ZJw-09g7mttbRVFIgPuD_4u7bJi57zZLTdAF6jg_9vxHhHbp2aAH7uXLMgsZB8qpCH9_hJnoxd5r8OKKFBL9wlOSYtnh-D8a0bKH_VnTZxn28Ozt4NJ06PxuqvcC_GEnAHmbSajeDGtPkIhvGhTU2Nd7nHtv9EvBoS__wXsvefgSpv-yCaGZMFc58Abv_LO_WqHsSTbl8eayk6ayoVShiWYh_5Ei5gVmcyCQAF1SO1X8qkGJw",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "delete read update write"
}

...这里是从“jwks_uri”返回的公钥信息：“https://localhost:44311/.well-known/openid-configuration/jwks 在我的发现文档中：

{"keys":[{"kty":"RSA","use":"sig","kid":"10BFC6495366E457669C6A37EA973B00","e":"AQAB","n":"0Zq2wamtiFtqhNNqlY4rYyC1nbO1hB1ztXIhYJc7tjhhpsyViXyWlKiD8cORmHieO8sH4ZSXCeQbYV7u1nXI7SG28ul9kozpUO7M9vf1nOv50o9mZg_BOyMFnTgcDMN6zjT1IWM9K5NY-2D7jSZvxQo4GNwWr2SpytRXLYAgWSHgj3wDarZIXfHKmIRSYvS8L6d_2G0dbxWD699VQMRz0WBjRR6qwhlXc4-4dSeBfvrioWf0DA6LD2NGNA1oP1XWuV_Htkh2Ay5Ck4AyUc3xbC4TVI3SpuhYMK_3zuHwmnzA1L4SyXnHG963hXpbDSUtu01i3YTK2v5MterR9PFWzQ","alg":"RS256"}]}

如果您还在阅读本文，谢谢！ 问题是我无法使用该承载令牌进行后续内省调用，也无法使用任何在线验证器（例如 jwt.io）验证该令牌

我错过了什么？

为了完整起见，这是我的自省电话：

> POST /connect/introspect HTTP/2
> Host: localhost:44311
> authorization: Basic ZXRyYWMtY2xhcmlmeTpldHJhY2Rldi0kaGUgdHVybmVkIG1lIGludG8gYSBuZXd0IQ==
> user-agent: insomnia/2020.4.2
> content-type: application/x-www-form-urlencoded
> accept: */*
> content-length: 796

| token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwQkZDNjQ5NTM2NkU0NTc2NjlDNkEzN0VBOTczQjAwIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MDQ2ODkxMTgsImV4cCI6MTYwNDY5MjcxOCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMTEiLCJhdWQiOlsiZXRyYWMtcGFydG5lcnNlcnZpY2VzIiwiZXRyYWMtY29yZXNlcnZpY2VzIiwiZXRyYWMtbGlua2QiXSwiY2xpZW50X2lkIjoiZXRyYWMtY2xhcmlmeSIsImp0aSI6IjNGQzQ0NzE4QTAyMzcyRUFBOUFDMDUzOEQyNjQyMDk5IiwiaWF0IjoxNjA0Njg5MTE4LCJzY29wZSI6WyJkZWxldGUiLCJyZWFkIiwidXBkYXRlIiwid3JpdGUiXX0.iDl8MEgqRcgFdg3T-rST9jTIxGJfwMtGQ-a6nSAxOadqs8P0EM_UcCYVwKhuzjNM4uORbrhsD5XDB2wMtgMEaSgNdKlH5NA2OTRkftFAKyii2M0ihQL06rN1KVURKySK4d38pezuQxZ48blDaro5ae8RUxMOkRlsPwX6e6LBKeJ2MkqmKcj6AJ1b0sDkJpdgagy4gjvBGWcQOAf_TuEobaWBEKEdzF_gM0a321PDFayCTuezc7bIYN5eq4VQL3-PINbOq72Cashjmi4BCNF0sV-gKq1blDMEZ6UcN-jGOUaaEtvh36H8bHw2H-mY1535tPpX4PzpE_zB6mtHvpJScA

Answer 1

一切看起来都不错，我使用 Flurl.Http NuGetp 包进行手动自省调用的代码如下所示：

/// <summary>
/// Introspect an access token
/// </summary>
/// <param name="accessToken">The received access token</param>
/// <param name="apiName">The name of this API-Resource as defined in Identity Server</param>
/// <param name="apiSecret">the API secret as defined in the API-Resource</param>
private void IntrospectToken(string accessToken, string apiName, string apiSecret)
{
    //Get the Introspection endpoint URL

    var url = new Url(openIdConfig.IntrospectionEndpoint).WithBasicAuth(apiName, apiSecret);

    var introspectionResult = url.PostUrlEncodedAsync(new
    {
        token = accessToken

    }).ReceiveString().Result;

    //Console.WriteLine("\r\nintrospection Result");
    //Console.WriteLine(introspectionResult);
}

也许它可以提供一些线索？

Answer 2

关于 jwt.io 的验证。 实际上结果是Signature Verified 。 很可能您输入了 keys 数组，而不是Public key字段中的唯一元素。

接下来，您不必对 JWT 使用自省。 它们用于就地验证。 请阅读第一个谷歌搜索 SO 答案以获取更多详细信息。