identityserver4 - Identity Server 4 检查预期范围 openid 失败
问题描述
我第一次尝试在 ASP.NET Core 中设置身份服务器。我已经设置了使用数据库的所有内容,并创建了一个脚本来创建测试客户端、测试用户和资源。我可以请求客户端令牌并请求用户令牌,这些都可以正常工作,但是在调用 connect/userinfo 端点时,我收到了 Forbidden 响应和以下错误;
IdentityServer4.Validation.TokenValidator[0]
Checking for expected scope openid failed
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1556641697,
"exp": 1556645297,
"iss": "https://localhost:5001",
"aud": [
"https://localhost:5001/resources",
"customAPI"
],
"client_id": "newClient",
"sub": "75f86dd0-512e-4c9d-b298-1afa120c7d47",
"auth_time": 1556641697,
"idp": "local",
"role": "admin",
"scope": "customAPI.read",
"amr": "pwd"
}
}
我不确定是什么导致了这个问题。这是我用来设置测试实体的脚本;
private static void InitializeDbTestData(IApplicationBuilder app)
{
using (var scope = app.ApplicationServices.GetService<IServiceScopeFactory>().CreateScope())
{
scope.ServiceProvider.GetRequiredService<PersistedGrantDbContext>().Database.Migrate();
scope.ServiceProvider.GetRequiredService<ConfigurationDbContext>().Database.Migrate();
scope.ServiceProvider.GetRequiredService<ApplicationDbContext>().Database.Migrate();
var context = scope.ServiceProvider.GetRequiredService<ConfigurationDbContext>();
// API Client
Client client = new Client
{
ClientId = "newClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret("123456789".Sha256())
},
AllowedScopes = new List<string> {"customAPI.read"}
};
context.Clients.Add(client.ToEntity());
context.SaveChanges();
// Identity Resources
IList<IdentityResource> identityResources = new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource
{
Name = "role",
UserClaims = new List<string> {"role"}
}
};
foreach (IdentityResource identityResource in identityResources)
{
context.IdentityResources.Add(identityResource.ToEntity());
}
// API Resource
ApiResource resource = new ApiResource
{
Name = "customAPI",
DisplayName = "Custom API",
Description = "Custom API Access",
UserClaims = new List<string> {"role"},
ApiSecrets = new List<Secret> {new Secret("scopeSecret".Sha256())},
Scopes = new List<Scope>
{
new Scope("customAPI.read"),
new Scope("customAPI.write")
}
};
context.ApiResources.Add(resource.ToEntity());
context.SaveChanges();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<IdentityUser>>();
// User
IdentityUser user = new IdentityUser
{
UserName = "JohnDoe",
Email = "john@doe.co.uk",
};
IList<Claim> claims = new List<Claim>
{
new Claim(JwtClaimTypes.Email, user.Email),
new Claim(JwtClaimTypes.Role, "admin")
};
userManager.CreateAsync(user, "112222224344").Wait();
userManager.AddClaimsAsync(user, claims).Wait();
}
}
我确定我在设置客户端/用户时设置了错误,有人可以查明它是什么吗?
解决方案
看不到您的客户端代码,但错误表明您在申请令牌时没有请求openid范围。对Useinfo端点有效的令牌必须包含openid范围。
推荐阅读
- linux - 将 2 个文件合并并重新格式化为一个新文件
- git - 签出分支上未提交的更改 - 将恢复到过去的提交修复此问题吗?
- javascript - 如何将 blob 转换为 xlsx 或 csv?
- ios - 如何在 iOS 中定期向服务器发送用户健康数据
- html - 如何以 24 小时格式输入时间?
- reactjs - 如何在 material-ui Snackbar 消息中使用 html
- excel - 一个返回结果但将其作为值特殊粘贴到编写函数的同一单元格的函数?
- angular - 在指定基类的 OnDestroy 时,派生类是否应该显式调用它?
- python - 需要帮助将两个代码合并在一起
- javascript - 如何从javascript(nodejs)程序调用python,而不创建子进程