您的位置: 首页  >  技术问答  >  IdentityServer4 IdentityServer3.AccessTokenValidation

IdentityServer4 IdentityServer3.AccessTokenValidation

分类: 技术问答 2022-06-08 13:39:23
问题描述:

新年快乐给大家......IdentityServer4 IdentityServer3.AccessTokenValidation

我配置的IdentityServer4,我可以做成功的ASP.net核心网络API调用。 但是对于asp.net框架4.5.2 web apis, 我得到了{“响应状态代码不表示成功:401(未授权)。”}来自.NET框架web api的错误。我想问你的帮助和意见。

我用IS4调查了这个话题,发现了一些关于IdentityServer3.AccessTokenValidation兼容性的条目。根据回复,我加载了一个签名证书,并调用了AddSigningCredential而不是AddTemporarySigninCredential。 x509certificate是本地创建的证书。并且我更新了IdentityServer3.AccessTokenValidation版本到v2.13.0。

我仍然得到了错误。 任何帮助表示赞赏。

感谢您的努力。

IdentityServer 4侧: Startup.cs

public void ConfigureServices(IServiceCollection services) 
     { 
       services 
       .AddIdentityServer()     
       //.AddTemporarySigningCredential() 
       .AddSigningCredential(x509Certificate) 
       .AddInMemoryIdentityResources(Config.GetIdentityResources()) 
       .AddInMemoryApiResources(Config.GetApiResources()) 
       .AddInMemoryClients(Config.GetClients()) 
       .AddAspNetIdentity<ApplicationUser>(); 
}

Config.cs

public static IEnumerable<ApiResource> GetApiResources() 
      { 
       return new List<ApiResource> 
       { 
        new ApiResource("AuthorizationWebApi","Authorization Web API .NET Core"), 
        new ApiResource("AuthorizationWebApiNetFramework","Authorization Web API NET Framework"), 
       new ApiResource("api1", "Empty Test Api") 
       }; 

      } 

     public static IEnumerable<Client> GetClients() 
     { 
      return new List<Client> { 
new Client { 
        ClientId = "silicon", 
        ClientName = "console app", 
        AllowedGrantTypes = GrantTypes.ClientCredentials, 
        ClientSecrets = { new Secret("abcdef".Sha256())}, 
        AllowedScopes = new List<string>{ 
        "AuthorizationWebApiNetFramework" 
        } 

       }, 
       new Client 
       { 
        ClientId = "MYUX", 
        ClientName = "MYUX MVC Client", 
        AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, 
        RequireConsent = false, 
        ClientSecrets= {new Secret("abcdef".Sha256()) }, 
        RedirectUris = { "http://localhost:5002/signin-oidc" }, 
        PostLogoutRedirectUris = {"http://localhost:5002"}, 

        AllowedScopes = { 
         IdentityServerConstants.StandardScopes.OpenId, 
         IdentityServerConstants.StandardScopes.Profile,       
         "custom.profile", 
         "AuthorizationWebApi", 
         "AuthorizationWebApiNetFramework" 
        }, 
        AllowOfflineAccess = true 
       } 
      }; 
     }

的.NET Framework API侧

public void Configuration(IAppBuilder app) 
     { 
      //ConfigureAuth(app); 
      app.UseCookieAuthentication(new CookieAuthenticationOptions()); 
      app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions 
      { 
       Authority = "http://www.abcdefgh.com:5000", 
       ValidationMode = ValidationMode.ValidationEndpoint, 
       RequiredScopes = new[] { "AuthorizationWebApiNETFramework" } 

      }); 
      //configure web api 
      var config = new HttpConfiguration(); 
      config.MapHttpAttributeRoutes(); 

      //require authentication for all controllers 

      config.Filters.Add(new AuthorizeAttribute()); 

      app.UseWebApi(config); 
     }

主叫侧:

try 
      { 
       ViewData["Message"] = "Authorization Test."; 
       var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token"); 
       var authorizationApiClient = new HttpClient(); 
       authorizationApiClient.SetBearerToken(accessToken); 
       var content = await authorizationApiClient.GetStringAsync("http://localhost:13243/values"); 
       return View(); 
      } 
      catch (Exception ex) 
      { 
       throw; 
      }

或通过一个控制台应用程序...

try 
{ 
    // discover endpoints from metadata 
    var disco = await DiscoveryClient.GetAsync("http://www.abcdefgh.com:5000"); 

    var tokenClient = new TokenClient(disco.TokenEndpoint, "silicon", "abcdef"); 
    var tokenResponse = await tokenClient.RequestClientCredentialsAsync("AuthorizationWebApiNetFramework"); 

    if (tokenResponse.IsError) 
    { 
     Console.WriteLine(tokenResponse.Error); 
     return; 
    } 

    Console.WriteLine(tokenResponse.Json); 

    var client = new HttpClient(); 
    client.SetBearerToken(tokenResponse.AccessToken); 

    var response = await client.GetAsync("http://localhost:13243/values"); 
    if (!response.IsSuccessStatusCode) 
    { 
     Console.WriteLine(response.StatusCode); 
    } 
    else 
    { 
     var content = await response.Content.ReadAsStringAsync(); 
     Console.WriteLine(JArray.Parse(content)); 
    } 
} 
catch (Exception) 
{ 
    throw; 
}

编辑:在4.5.2阿比侧:我注释行 ValidationMode = ValidationMode.ValidationEndpoint。我通过以下IS3文档添加了该行。感谢大家。

+0

我建议首先是样品,并确认他们的工作。然后从样本开始比较您的自定义项目中的差异。 –

+0

当您收到401错误时,idsrv4日志会说什么? –

+0

感谢球员们,@BrockAllen,正如我所说的,我可以使用开放式ID连接对ASP.Net Core MVC进行身份验证,并使用我的ASP.Net Core IS4以客户端凭据对ASP.Net Core WebApi进行身份验证。但是我遇到了4.5.2 ApiResource的问题。 Jonas Axelsson我看到令牌被成功生成,但是我记得当我调用WebApi的GetAsync时什么也没有发生。我今天会检查一下:)。关于 – ozgurozkanakdemirci

删除WebAPI accesstoken验证中间件中的以下行。

ValidationMode = ValidationMode.ValidationEndpoint

结果应该是这样的:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions 
{ 
    Authority = "http://www.abcdefgh.com:5000", 
    RequiredScopes = new[] { "AuthorizationWebApiNETFramework" } 
});

相关推荐