时间戳

首页 > 解决方案 > 根据验证程序,远程证书无效(身份服务器托管在 azure 中)

c# - 根据验证程序,远程证书无效(身份服务器托管在 azure 中)

问题描述

我尝试了很多,现在把它放在这里..所以我有一个应用服务,其中 API 身份服务器和 UI(Blazor)托管在同一个应用服务内的不同文件夹中,现在我从 [https:// damienbod.com/2020/02/10/create-certificates-for-identityserver4-signing-using-net-core/](这篇博文)现在一切正常,即使我将托管身份服务器设置为提供者和本地主机( UI 和 Web API)即使这样它也可以工作,但是当我尝试访问托管的 API 时,它的抛出错误(在日志中)并且我得到 401 在此处输入图像描述

请任何帮助将不胜感激

我的身份服务器启动看起来像这样

public void ConfigureServices(IServiceCollection services)
    {
        var settings = config.GetSection("AppSettings").Get<AppSettings>();
        X509Certificate2 rsaCertificate = null;
        if (env.IsDevelopment())
        {
            rsaCertificate = new X509Certificate2(
            Path.Combine(env.WebRootPath, "cert/rsaCert.pfx"), "password");
        }
        else
        {
            using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
            {
                certStore.Open(OpenFlags.ReadOnly);
                X509Certificate2Collection certCollection = certStore.Certificates.Find(
                    X509FindType.FindByThumbprint,
                    settings.CertificateDetails.CertificateThumbPrint,
                    false);
                // Get the first cert with the thumbprint
                if (certCollection.Count > 0)
                {
                    rsaCertificate = certCollection[0];
                }
            }
        }
        var connectionString = config.GetConnectionString("DefaultConnection");
        services.AddOidcStateDataFormatterCache();
        services.AddDbContext<SeatingDBContext>(x =>
        {
            x.UseSqlServer(connectionString);
        });

        services.AddIdentity<ApplicationUser, ApplicationRole>(x =>
        {
            x.Password.RequiredLength = 4;
            x.Password.RequireDigit = false;
            x.Password.RequireNonAlphanumeric = false;
            x.Password.RequireUppercase = false;
        }).AddEntityFrameworkStores<SeatingDBContext>().
     AddDefaultTokenProviders();

        services.ConfigureApplicationCookie(x =>
        {
            x.Cookie.Name = "IdentityServer.Cookie";
            x.LoginPath = "/Auth/Login";
        });

        var assembly = typeof(Startup).Assembly.GetName().Name;
        services.AddIdentityServer(x =>
        {
            x.Events.RaiseErrorEvents = true;
            x.Events.RaiseFailureEvents = true;
            x.Events.RaiseSuccessEvents = true;
            x.Events.RaiseInformationEvents = true;
        }).AddAspNetIdentity<ApplicationUser>()
  .AddInMemoryIdentityResources(Configuration.GetIdentityResources())
  .AddInMemoryApiScopes(Configuration.GetApiScopes())
   .AddInMemoryApiResources(Configuration.GetApis())
   .AddInMemoryClients(Configuration.GetClients(settings.ClientApps))
   .AddSigningCredential(rsaCertificate);
// .AddValidationKey(rsaCertificate);

        services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));

        services.AddTransient<IUserSyncService, UserSyncService>();

        services.AddControllersWithViews();
    }

我的网络 API 看起来像这样

public void ConfigureServices(IServiceCollection services)
    {
        var connectionString = Configuration.GetConnectionString("DefaultConnection");
        var settings = Configuration.GetSection("AppSettings").Get<AppSettings>();
        services.AddControllers();
        services.AddDbContext<SeatingDBContext>(x => x.UseSqlServer(connectionString));
        services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));
        services.AddAutoMapper(typeof(Startup));
        services.AddScoped<IEmailService, EmailService>();
        services.AddSingleton<IEmailConfiguration>(settings.EmailConfiguration);
        services.AddScoped<MailSender>();
        services.AddControllers();
        services.AddIdentityForWebApi<ApplicationUser, ApplicationRole>(x =>
        {
            x.Password.RequiredLength = 4;
            x.Password.RequireDigit = false;
            x.Password.RequireNonAlphanumeric = false;
            x.Password.RequireUppercase = false;
        }).AddEntityFrameworkStores<SeatingDBContext>();
         
        services.AddAuthentication(defaultScheme:"Bearer")
        .AddIdentityServerAuthentication("Bearer", config =>
        {
            config.Authority = settings.ODICSettings.Authority;
            config.ApiName = settings.ODICSettings.Audience;  
        });
        services.AddAuthorization(options =>
        {
            options.AddPolicy("ApiScope", policy =>
            {
                policy.RequireAuthenticatedUser();
                foreach (string scope in settings.ODICSettings.scope)
                    policy.RequireClaim("scope", scope);
            });
        });
    }

标签: c#asp.net-coreidentityserver4asp.net-core-identity

解决方案

您不能将签名证书用作 HTTPS Web 证书。签名证书仅在 IdentityServer 签署 JWT 令牌时使用。

您需要从受信任的提供商(如 Lets Encrypt)处获取真正的证书,并将其作为 TLS/HTTPS 证书单独安装。

签名证书和 TLS/HTTPS 证书是分开的东西,两者都需要正确配置。

推荐阅读