在 OpenIdDict 中使用客戶端憑據時,指定的令牌無效是無效的
[英]The specified token is invalid is Invalid when using Client Credentials in OpenIdDict
問題描述
使用 Asp.Net Core 5 和 OpenIdDict 我有授權代碼和客戶端憑據的配置:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo")
.SetIntrospectionEndpointUris("/.well-known/openid-configuration");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow()
.AllowRefreshTokenFlow()
.AllowClientCredentialsFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
在 API 上,我有:
services.AddOpenIddict()
.AddValidation(x => {
x.SetIssuer("https://localhost:5000");
x.AddAudiences("api");
x.UseIntrospection().SetClientId("api").SetClientSecret("SecretAPI");
x.UseSystemNetHttp();
x.UseAspNetCore();
});
然后我有客戶端和 API 應用程序:
OpenIddictApplicationDescriptor mvc = new OpenIddictApplicationDescriptor {
ClientId = "mvc",
ClientSecret = "SecretMVC",
ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,
OpenIddictConstants.Permissions.Prefixes.Scope + "api"
}
};
OpenIddictApplicationDescriptor api = new OpenIddictApplicationDescriptor {
ClientId = "api",
ClientSecret = "SecretAPI",
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Introspection
}
};
我能夠使用 Insomnia Rest Client 和 Client Credentials 獲取訪問令牌。
但是當我使用給定的訪問令牌調用 API 時,我收到以下錯誤:
Bearer error = "invalid_token", error_description = "The specified token is invalid."
為什么會發生這種情況?
更新
在日志上,我有以下內容:
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+HandleErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext, OpenIddict.Validation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
An error occurred while introspecting the token.
OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the introspection response.
Error: invalid_request
Error description: The specified HTTP method is not valid.
Error URI:
at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass5_0.<<IntrospectTokenAsync>g__HandleIntrospectionResponseAsync|3>d.MoveNext()
--- End of stack trace from previous location ---
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationHandlers.IntrospectToken.HandleAsync(ProcessAuthenticationContext context)
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.
1 個解決方案
解決方案1
2 已采納 2020-11-08 17:12:19
您將內省端點配置為與 OIDC 提供程序配置端點共享相同的地址,這會阻止內省請求被識別為有效的 POST 請求。
修復SetIntrospectionEndpointUris("/.well-known/openid-configuration")以使用不同的地址,它應該可以工作。
具有客戶端Angular的IdentityServer4中具有無效簽名的令牌
[英]Token with invalid signature in IdentityServer4 with client Angular
如何使用 OpenIddict 參數配置 SwaggerGen 以授予客戶端憑據?
[英]How do I configure SwaggerGen with OpenIddict parameters for client credentials grant?
使用OpenIddict請求令牌時,如何添加要返回的自定義聲明?
[英]How can I add custom claims to be returned when requesting a token using OpenIddict?
“無效的對象名稱'OpenIddictAuthorizations'。”-OpenIddict / .Net核心標識錯誤
[英]“Invalid object name 'OpenIddictAuthorizations'.” - OpenIddict/.Net Core Identity Error
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Openiddict 可以創建令牌但似乎無效
ADFS 4.0:收到無效的客戶端憑據
具有客戶端Angular的IdentityServer4中具有無效簽名的令牌
如何使用 OpenIddict 參數配置 SwaggerGen 以授予客戶端憑據?
通過使用 OpenIddict 與外部提供者登錄來獲取令牌
使用OpenIddict請求令牌時,如何添加要返回的自定義聲明?
生成承載令牌時簽名無效
“無效的對象名稱'OpenIddictAuthorizations'。”-OpenIddict / .Net核心標識錯誤
令牌無效 - 觀眾“空”無效
使用 ASP.NET Core 的 JWT 令牌無效令牌錯誤
相關標簽