c# - Identity Server 4 无法验证我的访问令牌
问题描述
我正在使用 Asp.net Core 3.1 Web Api 生成 Api 并使用 Identity Server 4(3.1.2) 和 asp.net identity core 在同一个项目中(都在一个项目中)来验证用户。Identity Server 4 生成访问令牌,但是当使用 Postman 调用 Api 时,每次都返回 401。这是我的 Identity Server 4 配置:
"IdentityServerSetting": {
"IdentityServerAuthority": "https://localhost:5000",
"IdentityResources": [
"openID"
],
"ApiResources": [
{
"Name": "MadPay",
"DisplayName": "MadPay Api",
"UserClaims": [
"name",
"Email"
]
}
],
"Client": [
{
"AccessTokenLifeTime": 3600,
"AllowedGrantTypes": "password",
"ClientId": "angular",
"AlwaysIncludeUserClaimsInIdToken": "true",
"AlwaysSendClientClaims": "true",
"AllowCorsOrigins": [ "https://localhost:5000" ],
"RequireClientSecret": "false",
"AllowedScopes": [ "OpenId", "MadPay" ],
"AllowOfflineAccess": "true"
}
]
}
这是我的配置服务
public void ConfigureServices(IServiceCollection services)
{
services.Configure<JwtConfig>(_configuration.GetSection(nameof(JwtConfig)));
services.Configure<IdentityServerSetting>(_configuration.GetSection(nameof(IdentityServerSetting)));
services.AddScoped<IUnitOfWork, UnitOfWork<ApplicationDBContext>>();
services.AddMapperConfigurations();
services.AddServices();
services.AddDbContext<ApplicationDBContext>(opt =>
{
opt.UseSqlServer(_configuration.GetConnectionString("ApplicationConnection"));
});
services.AddMvcCore(opt => opt.EnableEndpointRouting = false)
.SetCompatibilityVersion(CompatibilityVersion.Version_3_0)
.AddAuthorization()
.AddNewtonsoftJson(options =>
options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);
services.AddResponseCaching();
services.AddIdentityServerConfig(_identityServerSetting);
services.AddApiAuthorization();
services.AddCors();
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.Configure<ApiBehaviorOptions>(options =>
{
options.SuppressModelStateInvalidFilter = true;
});
}
这是我的配置
public void Configure(IApplicationBuilder app, IHostEnvironment env)
{
IdentityModelEventSource.ShowPII = true;
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
//app.UseHsts();
app.UseCors(i => i.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
app.AddExceptionHandling();
app.UseResponseCaching();
app.UseIdentityServer();
app.UseHttpContext();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "api/{controller}/{action}/{id?}");
});
}
AddApiAuthorization 函数
public static void AddApiAuthorization(this IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.Authority = "https://localhost:5000";
opt.RequireHttpsMetadata = false;
//opt.Audience = "MadPay";
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
services.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();
services.AddAuthorization(option =>
option.AddPolicy("Permission", builder =>
builder.AddRequirements(new PermissionRequirement()).RequireAuthenticatedUser()
)
);
}
AddIdentityServerConfig 函数
public static void AddIdentityServerConfig(this IServiceCollection services, IdentityServerSetting config)
{
var finalConfig = MapJsonToConfig(config);
services.AddIdentity<User, Role>(opt =>
{
opt.Password.RequireLowercase = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireNonAlphanumeric = false;
opt.User.RequireUniqueEmail = true;
opt.SignIn.RequireConfirmedAccount = true;
opt.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<ApplicationDBContext>()
.AddUserManager<AppUserManager>()
//.AddSignInManager<AppSignInManager>()
.AddErrorDescriber<AppErrorDescriberService>()
.AddDefaultTokenProviders();
services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(finalConfig.IdentityResources)
.AddInMemoryApiResources(finalConfig.Apis)
.AddInMemoryClients(finalConfig.Clients)
.AddAspNetIdentity<User>()
.AddResourceOwnerValidator<AppIdentityPasswordValidator<User>>();
}
这是来自访问令牌的 My Paload
{
"nbf": 1597823415,
"exp": 1597827015,
"iss": "https://localhost:5000",
"aud": "MadPay",
"client_id": "angular",
"sub": "1",
"auth_time": 1597823413,
"idp": "local",
"name": "osali",
"scope": [
"MadPay",
"offline_access"
],
"amr": [
"pwd"
]
}
对于调用 Api,请使用此 url:https://localhost:5000/... 并在 Authorization Header 中发送令牌:Bearer ....
我认为颁发的访问令牌不是问题。我花了几天时间却无法理解为什么不工作并且非常困惑出了什么问题!
谢谢你
解决方案
您可以将所有令牌验证参数设置为 false,然后将它们一一启用,以查看触发错误的原因。
options.TokenValidationParameters.ValidateAudience = false;
options.TokenValidationParameters.ValidateIssuer = false;
options.TokenValidationParameters.ValidateIssuerSigningKey = false;
options.TokenValidationParameters.ValidateLifetime = false;
options.TokenValidationParameters.ValidateTokenReplay = false;
您也可以尝试启用以下功能并检查 postman 或 Fiddler 中 API 的响应。
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
API 控制器如何受到保护?您是否使用任何授权策略?
在您的 API 启动中,您不应使用 IdentityServer,而应使用 AddMyJwtBearer 方法。在您的配置方法中,您应该使用:
app.UseAuthentication();
app.UseAuthorization();
下面是一个典型 API 的示例 startup.cs 类:
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMyJwtBearer(options =>
{
options.Audience = "payment";
options.Authority = "https://localhost:6001/";
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
//If the signing key is not found, do a refresh from the JWKS endpoint
//This allows for automatic recovery in the event of a key rollover
options.RefreshOnIssuerKeyNotFound = true;
//Gets or sets if HTTPS is required for the metadata address or authority.
//Should always be true in production!
options.RequireHttpsMetadata = true;
//True if the token should be stored in the AuthenticationProperties
//after a successful authorization.
options.SaveToken = true;
//Parameters
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(5);
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
推荐阅读
- solr - Solr Suggest Component 和 OutOfMemory 错误
- ruby-on-rails - ROR: NoMethodError: nil:NilClass 的未定义方法“[]”
- google-drive-api - OS X 上的 Google Drive File Stream 无法 ls 文件
- php - 批量反转(重新利用)现有的正则表达式语句
- c - 如何从带有通配符的字符串中获取 Appx 全名?
- wordpress - WordPress 添加内联样式,如何添加 background-size 属性
- javascript - 如何在Javascript中存储特定类的对象数组?
- c++ - Nanodbc:值不适合类型字符(2)错误
- python - 具有给定索引的 numpy 元素的总和
- c# - 如何添加 WPF 按钮以将内容添加到 ObservableCollection 内的列表?