身份服務器隨機“invalid_grant”

Question

您好，我遇到了 IdentityServer 4 的問題。當我們第一次使用 Swagger 向 IDP 發起呼叫時，我可以獲得令牌

[12:36:21 DBG] Getting claims for identity token for subject: 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3 and client: Idp.UserIdentitySwagger
[12:36:21 DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
[12:36:21 VRB] Creating JWT identity token
[12:36:21 INF] {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "RedirectUri": null, "Endpoint": "Token", "SubjectId": "3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3", "Scopes": "openid profile email", "GrantType": "authorization_code", "Tokens": [{"TokenType": "id_token", "TokenValue": "****dlrQ", "$type": "Token"}, {"TokenType": "access_token", "TokenValue": "****g_rw", "$type": "Token"}], "Category": "Token", "Name": "Token Issued Success", "EventType": "Success", "Id": 2000, "Message": null, "ActivityId": "0HMJ7TTLK79RA:0000000E", "TimeStamp": "2022-07-17T12:36:21.0000000Z", "ProcessId": 1, "LocalIpAddress": "10.244.1.16:443", "RemoteIpAddress": "10.244.0.9", "$type": "TokenIssuedSuccessEvent"}
[12:36:21 VRB] Identity token issued for Idp.UserIdentitySwagger (Idp.UserIdentity Swagger) / 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3: eyJhbGciOiJSUzI1NiIsImtpZCI6IjIzNTJFMjcwQkFDQjUwMDAwNjM1NkY3RjIwRDM0MEIwQjk3NDRCRThSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IkkxTGljTHJMVUFBR05XOV9JTk5Bc0xsMFMtZyJ9.eyJuYmYiOjE2NTgwNjEzODEsImV4cCI6MTY1ODA2NDk4MSwiaXNzIjoiaHR0cHM6Ly9pZHAub3Vpb3VpZGlzY291bnQuY29tIiwiYXVkIjoiSWRwLlVzZXJJZGVudGl0eVN3YWdnZXIiLCJpYXQiOjE2NTgwNjEzODEsImF0X2hhc2giOiJFWWRZYWtpb0ZFUTN6Z19qeHZ1Umd3Iiwic19oYXNoIjoiMUxYeTNQMXpaOTZiU2lDWjBrRmNBZyIsInNpZCI6IjYzREQ4OEQ5QTQ0NEEyRDQzRDU1QUNBMjYyQTM1MTc3Iiwic3ViIjoiMzY4MGQ1YWEtNGIzNS00ZTM5LWExY2UtY2ZiYzY5NjFmNGMzIiwiYXV0aF90aW1lIjoxNjU4MDYxMzczLCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.kyOSEob49JTd10Wmz3YMgg48MB-RRWmSJ6JB2dZeu-0r8WPOK69XXlq74bGAoyV6DwytsyTOmwb7h5Wnu5zcgbHFJ_ycGAi5PwOiO1clyDIpYW5ql__SZ2JH31ppuRg616eDaX0M2p9PFfW4MBSM1d4p69aWrbqAmuj8g833VjtZOFkZcgS6OZotqbM_zxOGLhfkzwJQtDjHdh1_imJp80fa4uv_0KOpWc62hclOXcBS8oKvgQYyeeS8AIXGrIBoNII8ZQ8yK-BrqOAjm4f1PVyyhQa8P19gXWoASQL6EHb-zCUo5VUXAu7bukBb4JNNzk8jUTCWvSUo9z4_rDdlrQ
[12:36:21 VRB] Access token issued for Idp.UserIdentitySwagger (Idp.UserIdentity Swagger) / 3680d5aa-4b35-4e39-a1ce-cfbc6961f4c3: eyJhbGciOiJSUzI1NiIsImtpZCI6IjIzNTJFMjcwQkFDQjUwMDAwNjM1NkY3RjIwRDM0MEIwQjk3NDRCRThSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IkkxTGljTHJMVUFBR05XOV9JTk5Bc0xsMFMtZyJ9.eyJuYmYiOjE2NTgwNjEzODEsImV4cCI6MTY1ODA2NDk4MSwiaXNzIjoiaHR0cHM6Ly9pZHAub3Vpb3VpZGlzY291bnQuY29tIiwiY2xpZW50X2lkIjoiSWRwLlVzZXJJZGVudGl0eVN3YWdnZXIiLCJzdWIiOiIzNjgwZDVhYS00YjM1LTRlMzktYTFjZS1jZmJjNjk2MWY0YzMiLCJhdXRoX3RpbWUiOjE2NTgwNjEzNzMsImlkcCI6ImxvY2FsIiwic2lkIjoiNjNERDg4RDlBNDQ0QTJENDNENTVBQ0EyNjJBMzUxNzciLCJpYXQiOjE2NTgwNjEzODEsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCJdLCJhbXIiOlsicHdkIl19.BXtDlQKqw8rGmgnLjJuWJicF2BIHPzpp48NC-aP9cpzy7dqYY2a8kI1x07vTnhX2rcEjdfqhfMIfyJuqZJBhXVtfI7R60QyfuAj3Ozpa4KGE2Y28d9Xntizf4ctwUXFLZVboH8MrXflcIiDL8s5h_c6P6W2NafYK_1m7xpU68Qq0NsxqXsaG2SZT_nph-bl_hEvfR_AfXbkDI12Z606hSqAhjP5v_TQfc6_0zveCVTiFRUMCzTzndtRSVtNrP3WPGXalOTtOaeOIUFssDvqNYeF6nch245vjw5NQQu3zUgETOSJfeO_d0c7VCeEvp_s_yCEFCVOIl2_xvWd3Hig_rw

我斷開連接並嘗試再次登錄並引發“invalid_grant”。 我清除緩存並重試，但它不起作用。 重試幾次后，我可以登錄。 我認為這是隨機錯誤。 我無法弄清楚這個錯誤背后的原因。 這是錯誤消息以及 IDP 配置和客戶端配置。 我希望它能有所幫助。

[12:42:06 DBG] A data reader was disposed.
[12:42:06 DBG] Closing connection to database 'IdpDb' on server 'tcp://XXXXXXXXXXX:5432'.
[12:42:06 DBG] Closed connection to database 'IdpDb' on server ''.
[12:42:06 DBG] tJc155MKnmvPDXowrLH4laE8GBDyxFtEveiaB/ONE4w= found in database: False
[12:42:06 DBG] authorization_code grant with value: E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348 not found in store.
[12:42:06 ERR] Invalid authorization code{"code": "E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348"}, details: {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "GrantType": "authorization_code", "Scopes": null, "AuthorizationCode": "****7348", "RefreshToken": "********", "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "authorization_code", "code": "E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348", "client_id": "Idp.UserIdentitySwagger", "client_secret": "***REDACTED***", "redirect_uri": "https://identity.*******.com/swagger/oauth2-redirect.html", "code_verifier": "eMCIRwHDzhTf1YrRr651Uaqi_COopBhc7ZfOGyjRiAc"}, "$type": "TokenRequestValidationLog"}
[12:42:06 INF] {"ClientId": "Idp.UserIdentitySwagger", "ClientName": "Idp.UserIdentity Swagger", "RedirectUri": null, "Endpoint": "Token", "SubjectId": null, "Scopes": null, "GrantType": "authorization_code", "Error": "invalid_grant", "ErrorDescription": null, "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HMJ7TTLK79RH:00000008", "TimeStamp": "2022-07-17T12:42:06.0000000Z", "ProcessId": 1, "LocalIpAddress": "10.244.1.16:443", "RemoteIpAddress": "10.244.0.9", "$type": "TokenIssuedFailureEvent"}
[12:42:06 VRB] Invoking result: IdentityServer4.Endpoints.Results.TokenErrorResult

Idp配置

services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
        })
        .AddConfigurationStore(options =>
        {
            options.ConfigureDbContext = (t) =>
            {
                t.UseNpgsql(configuration.GetConnectionString("IdpDb"),
                    b => b.MigrationsAssembly(migrationsAssembly));
                t.EnableSensitiveDataLogging();
            };
        })
        .AddOperationalStore(options =>
        {
            options.ConfigureDbContext = (t) =>
            {
                t.UseNpgsql(configuration.GetConnectionString("IdpDb"),
                    b => b.MigrationsAssembly(migrationsAssembly));
                t.EnableSensitiveDataLogging();
            };
        })
        .AddProfileService<BrandeeUserProfileService>()
        .AddSigningCredential(LoadCertificate(configuration));

數據保護代碼：

  services.AddDataProtection()
        .SetApplicationName("TAASe")
        .UseCryptographicAlgorithms(
            new AuthenticatedEncryptorConfiguration()
            {
                EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
                ValidationAlgorithm = ValidationAlgorithm.HMACSHA256,
            }
        )
        .ProtectKeysWithCertificate(new X509Certificate2(configuration["Certificate:Path"],
            configuration["Certificate:Password"]))
        .PersistKeysToDbContext<AppDataProtectionDbContext>()
        .SetDefaultKeyLifetime(TimeSpan.FromDays(14));

客戶定義：

{
  "clientId": "Idp.UserIdentity Swagger",
  "clientName": "Idp.UserIdentity Swagger",
  "requireConsent": true,
  "accessTokenLifetime": 3600,
  "identityTokenLifetime": 3600,
  "allowOfflineAccess": true,
  "alwaysSendClientClaims": true,
  "secrets": [
    "secret"
  ],
  "scopes": [
    "openid","profile","email"
  ],
  "allowedGrantType": [
    "authorization_code"
  ],
  "redirectUris": [
    "https://identity.XXXXXXXXXX.com/swagger/oauth2-redirect.html"
  ],
  "corsOrigins": [
    "https://identity.XXXXXXX.com"
  ],
  "postLogoutRedirectUri": []
}

並在招搖

services.AddSwaggerGen(options =>
        {
            var oauthSecuritySchema = new OpenApiSecurityScheme()
            {
                Type = SecuritySchemeType.OAuth2,
                Flows = new OpenApiOAuthFlows()
                {
                    AuthorizationCode = new OpenApiOAuthFlow()
                    {
                        AuthorizationUrl = new Uri(configuration["Idp:AuthorizationUrl"]),
                        Scopes = new Dictionary<string, string>()
                        {
                            // {"Idp.UserManagement","Identity"},
                            {"openid","openid"},
                            {"profile","profile"},
                            {"email","email"}
                        },
                        TokenUrl = new Uri(configuration["Idp:TokenUrl"]),
                    }
                },
                Name = configuration["Swagger:Name"],
            };
            options.SwaggerDoc("v1", new OpenApiInfo {Title = "Protected API", Version = "v1"});
            options.AddSecurityDefinition("oauth2", oauthSecuritySchema);
            options.OperationFilter<AuthorizeCheckOperationFilter>();
            options.EnableAnnotations();
        });

Answer 1

當用戶登錄時，Idp 使用(code + ":" + "authorization_code").Sha256()形成的密鑰將代碼保存在 PersistedGrants 表中。 對於您的代碼E3661868CE07773D4612B6A32A5D10B9B0A48D00E616718C795D9ED5F6827348 ，密鑰是tJc155MKnmvPDXowrLH4laE8GBDyxFtEveiaB/ONE4w= 。 根據日志，這是正確的。 然后，Idp 將此代碼返回給調用者。

然后，客戶端可以為令牌端點中的令牌更改此代碼。 Idp 嘗試通過再次形成密鑰、從數據庫中檢索它並檢查傳遞的代碼是否與之前存儲的匹配來恢復此記錄。

操作存儲中的持久性似乎無法正常工作。 此記錄未保存在第一部分中，或者在第二部分中獲取它的查詢不起作用。 無論服務返回通用invalid_grant錯誤消息的原因是什么。

檢查記錄是否保存在 PersistedGrants 表中。 您可以使用我的Fiddle來形成密鑰並使用其他代碼進行測試。

如果調用 SaveAsync 時出現任何 EF 異常，請檢查之前的日志。

身份服務器隨機“invalid_grant”

問題描述

1 個解決方案

解決方案1
0 2022-07-17 15:58:17

身份服務器隨機“invalid_grant”

問題描述

1 個解決方案

解決方案1 0 2022-07-17 15:58:17

解決方案1
0 2022-07-17 15:58:17