问题描述
我在ASP.NET Core 3.1项目上具有以下Identity Server 4配置:
I have the following Identity Server 4 configuration on ASP.NET Core 3.1 projects:
services
.AddIdentityServer(y => {
y.Events.RaiseErrorEvents = true;
y.Events.RaiseInformationEvents = true;
y.Events.RaiseFailureEvents = true;
y.Events.RaiseSuccessEvents = true;
})
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.IdentityResources())
.AddInMemoryApiResources(Config.ApiResources())
.AddInMemoryApiScopes(Config.GetApiScopes())
.AddInMemoryClients(Config.Clients)
.AddProfileService<ProfileService>()
.AddAspNetIdentity<User>();
Config
如下:
public static class Config {
public static List<ApiResource> ApiResources() {
return new List<ApiResource> {
new ApiResource("api", "API Resource")
};
}
public static List<ApiScope> ApiScopes() {
return new List<ApiScope> {
new ApiScope("api", "API Scope")
};
}
public static List<IdentityResource> IdentityResources() {
return new List<IdentityResource> {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email()
};
}
public static List<Client> Clients() {
return new List<Client> {
new Client {
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("Secret".Sha256()) }
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.OfflineAccess,
"api"
}
}
};
}
}
在API上,我有:
services
.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme, x => {
x.ApiName = "api";
x.ApiSecret = "Secret"
x.Authority = Config.AuthorityUrl;
x.RequireHttpsMetadata = true;
x.EnableCaching = true;
x.CacheDuration = TimeSpan.FromMinutes(20);
});
我使用带有OAuth2的Insomnia客户端调用了一个API端点:
I called one API endpoint using Insomnia client with OAuth2:
我能够获得访问令牌,但是在调用API时出现错误:
I was able to get the Access token but when calling the API I got the error:
Bearer error="invalid_token", error_description="The audience 'empty' is invalid"
我使用JWT检查了访问令牌,并且得到了以下信息:
I checked the Access token using JWT and I got the following:
标题
{
"alg": "HS256",
"kid": "A1042705E52832C676596F36BB1898AB",
"typ": "at+jwt"
}
有效载荷
{
"nbf": 1598478410,
"exp": 1598482010,
"iss": "https://localhost:5000",
"client_id": "mvc",
"jti": "23525FF997FD4D71E13C786A7AD07B5D",
"iat": 1598478410,
"scope": [
"api"
]
}
aud
丢失.但是我需要吗?阅读IS4文档后,我尝试添加:
The aud
is missing. But do I need it? After reading the IS4 docs I tried adding:
.AddIdentityServer(y => {
y.EmitStaticAudienceClaim = true;
现在,访问令牌具有 aud
字段,但其值不是 api
.不是吗?
Now the Access token has aud
field but its value is not api
. Shouldn't it be?
"aud": "https://localhost:5000/resources"
调用API时,我现在收到错误消息:
When calling the API I now get the error:
Bearer error="invalid_token", error_description="The audience 'https://localhost:5000/resources' is invalid"
我阅读了文档和IS4示例,但找不到解决方案.
I read the docs and IS4 examples but couldn't find a solution.
我想念什么?
推荐答案
您需要的是将ApiScope与APIRespource连接起来,以使api成为所需的作用域.当范围和api未被连接"时,https://localhost:5000/resources aud声明是普通读者.
What you need to is to connect the ApiScope with the APIRespource to get api to be the desired scope. The https://localhost:5000/resources aud claim is a generic audience when the scopes and api's are not "connecteted".
在您的API定义中,您需要执行以下示例中的操作(请看下面的Scopes属性)
In your API definition you need to do something like in this example (Look at the Scopes property below)
var invoiceApi = new ApiResource()
{
Name = "invoice", //This is the name of the API
Description = "This is the invoice Api-resource description",
Enabled = true,
DisplayName = "Invoice API Service",
Scopes = new List<string> { "shop.admin", "shop.employee" },
};
请参见链接有关使用的通用资源范围的详细信息.
See this link for details about the generic resource scope that is ussued.
它说:
您可以尝试将 EmitStaticAudience 选项设置为 false .
You can try to set the EmitStaticAudience option to false.
您还可以忽略令牌中的两个受众.
You can also ignore the two audiences in the token.
这篇关于令牌无效-受众“空"无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!