access-token - How to add an 'aud' claim to access_token
问题描述
I'm new to IdentityServer 4 and OpenIdConnect, trying to get my Asp.NET Core + Angular 9 SPA app to work with JwtBearer tokens, and the problem is what I cannot set my access_token's 'aud' claim properly, I'm getting 401 with message:
Bearer error="invalid_token", error_description="The audience 'empty' is invalid
The audience 'empty' is invalid
found in WWW-Authenticate header.
If however, instead of this I will use an id_token constantly (which should be used only once to log user into the app as I suppose), I will get access to my protected resources, because it has this 'aud' claim.
I suppose it is not a proper behaviour (or is it?)
Is there any way, how I may explicitly set the access_token's 'aud' claim? I've looked already in many places, stackOverflow, OpenId.net docs and the others, and still I cannot find an answer. May some1 help me with that?
Here's my AddAuthentication method in my API & app.UseAuthentication/app.UseAuthorization: https://pastebin.com/YdE3WQ7b
and my client config: https://pastebin.com/AdAjntjc
PrintScreen of jwt.io:
解决方案
IdentityServer4 版本 v4 发生了重大变化,默认情况下它们不再设置 aud 声明。
可能您关注了一篇旧文章,例如:
https://medium.com/@marcodesanctis2/securing-blazor-webassembly-with-identity-server-4-ee44aa1687ef
哪个使用 IS4 v3
但是,如果您检查官方文档的配置部分,它会说您需要禁用 aud 声明:
https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
}
public void Configure(IApplicationBuilder app)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
推荐阅读
- windows - 如何使 Chrome 窗口大小与窗口分辨率一样宽
- azure - Azure AzVMCustomScriptExtension 永远挂起并显示警告消息
- c# - Google 课堂 - 通过别名获取课程
- c# - ASP.net 核心视图不向控制器返回值
- angular - 无法从 localhost:4200 调用 API - Angular
- vb.net - User32 sendmessage 仅适用于某些消息
- java - 如何将具有相同属性的不同注解作为方法参数传递并能够使用该属性?
- javascript - 在 JavaScript 中自动打印
- c++ - 如何在另一个类中创建一个类的实例?
- python - 为什么使用 QSortFilterProxyModel 时 layoutChanged.emit() 不更新 QListView?