问题描述

我是IdentityServer 4和OpenIdConnect的新手，试图让我的Asp.NET Core + Angular 9 SPA应用程序与JwtBearer令牌一起使用，问题是我无法正确设置access_token的'aud'声明，我m收到消息401:

在WWW-Authenticate标头中找到.

但是，如果不是，我将不停地使用 id_token (我想应该只使用一次将用户登录到应用程序)，因为我可以访问受保护的资源，因为它有这个音频"声明.

我认为这不是适当的行为(或者是吗?)

有什么办法，我如何明确设置access_token的"aud"声明?我已经看过很多地方，stackOverflow，OpenId.net文档和其他地方，但仍然找不到答案.有人可以帮我吗?

这是我的API&中的AddAuthentication方法app.UseAuthentication/app.UseAuthorization:

但是，如果您查看官方文档的配置部分，则说需要禁用aud声明:

https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration

  {公共无效ConfigureServices(IServiceCollection服务){services.AddControllers();services.AddAuthentication(承载者").AddJwtBearer("Bearer"，options =>{options.Authority ="https://localhost:5001";options.TokenValidationParameters =新的TokenValidationParameters{ValidateAudience =否};});}公共无效配置(IApplicationBuilder应用){app.UseRouting();app.UseAuthentication();app.UseAuthorization();app.UseEndpoints(endpoints =>{endpoints.MapControllers();});}} 

I'm new to IdentityServer 4 and OpenIdConnect, trying to get my Asp.NET Core + Angular 9 SPA app to work with JwtBearer tokens, and the problem is what I cannot set my access_token's 'aud' claim properly, I'm getting 401 with message:

found in WWW-Authenticate header.

If however, instead of this I will use an id_token constantly (which should be used only once to log user into the app as I suppose), I will get access to my protected resources, because it has this 'aud' claim.

I suppose it is not a proper behaviour (or is it?)

Is there any way, how I may explicitly set the access_token's 'aud' claim?I've looked already in many places, stackOverflow, OpenId.net docs and the others, and still I cannot find an answer. May some1 help me with that?

Here's my AddAuthentication method in my API & app.UseAuthentication/app.UseAuthorization:https://pastebin.com/YdE3WQ7b

and my client config:https://pastebin.com/AdAjntjc

PrintScreen of jwt.io:

access_token_at_jwt_io_img

There was a major change in IdentityServer4 version v4 they are no longer setting the aud claim by default.

Probably you followed an old article, like this for example:

https://medium.com/@marcodesanctis2/securing-blazor-webassembly-with-identity-server-4-ee44aa1687ef

Which is using IS4 v3

But if you check the configuration section of the oficcial documentation it says you need to disable the aud Claim:

https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration

{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddAuthentication("Bearer")
            .AddJwtBearer("Bearer", options =>
            {
                options.Authority = "https://localhost:5001";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false
                };
            });
    }

    public void Configure(IApplicationBuilder app)
    {
        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

这篇关于如何在access_token中添加"aud"声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！