如何解决Identity Server 4无法验证我的访问令牌
我正在使用Asp.net Core 3.1 Web Api生成Api,并将Identity Server 4(3.1.2)与asp.net Identity Core一起使用在同一项目中(两个项目都在一个项目中)以对用户进行身份验证。 Identity Server 4生成访问令牌,但是当使用Postman调用Api时,每次返回401。 这是我的Identity Server 4配置:
"IdentityServerSetting": {
"IdentityServerAuthority": "https://localhost:5000","IdentityResources": [
"openID"
],"ApiResources": [
{
"Name": "MadPay","DisplayName": "MadPay Api","UserClaims": [
"name","Email"
]
}
],"Client": [
{
"AccessTokenLifeTime": 3600,"AllowedGrantTypes": "password","ClientId": "angular","AlwaysIncludeUserClaimsInIdToken": "true","AlwaysSendClientClaims": "true","AllowCorsOrigins": [ "https://localhost:5000" ],"RequireClientSecret": "false","AllowedScopes": [ "OpenId","MadPay" ],"AllowOfflineAccess": "true"
}
]
}
这是我的ConfigureService
public void ConfigureServices(IServiceCollection services)
{
services.Configure<JwtConfig>(_configuration.GetSection(nameof(JwtConfig)));
services.Configure<IdentityServerSetting>(_configuration.GetSection(nameof(IdentityServerSetting)));
services.AddScoped<IUnitOfWork,UnitOfWork<ApplicationDBContext>>();
services.AddMapperConfigurations();
services.AddServices();
services.AddDbContext<ApplicationDBContext>(opt =>
{
opt.UseSqlServer(_configuration.GetConnectionString("ApplicationConnection"));
});
services.AddMvcCore(opt => opt.EnableEndpointRouting = false)
.SetCompatibilityVersion(CompatibilityVersion.Version_3_0)
.AddAuthorization()
.AddNewtonsoftJson(options =>
options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);
services.AddResponseCaching();
services.AddIdentityServerConfig(_identityServerSetting);
services.AddApiAuthorization();
services.AddCors();
services.AddSingleton<IHttpContextAccessor,HttpContextAccessor>();
services.Configure<ApiBehaviorOptions>(options =>
{
options.SuppressModelStateInvalidFilter = true;
});
}
这是我的配置
public void Configure(IApplicationBuilder app,IHostEnvironment env)
{
IdentityModelEventSource.ShowPII = true;
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// The default HSTS value is 30 days. You may want to change this for production scenarios,see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
//app.UseHsts();
app.UseCors(i => i.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
app.AddExceptionHandling();
app.UseResponseCaching();
app.UseIdentityServer();
app.UseHttpContext();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",template: "api/{controller}/{action}/{id?}");
});
}
AddApiAuthorization功能
public static void AddApiAuthorization(this IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.Authority = "https://localhost:5000";
opt.RequireHttpsMetadata = false;
//opt.Audience = "MadPay";
opt.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
services.AddScoped<IAuthorizationHandler,PermissionAuthorizationHandler>();
services.AddAuthorization(option =>
option.AddPolicy("Permission",builder =>
builder.AddRequirements(new PermissionRequirement()).RequireAuthenticatedUser()
)
);
}
AddIdentityServerConfig功能
public static void AddIdentityServerConfig(this IServiceCollection services,IdentityServerSetting config)
{
var finalConfig = MapJsonToConfig(config);
services.AddIdentity<User,Role>(opt =>
{
opt.Password.RequireLowercase = false;
opt.Password.RequireUppercase = false;
opt.Password.RequireNonAlphanumeric = false;
opt.User.RequireUniqueEmail = true;
opt.SignIn.RequireConfirmedAccount = true;
opt.SignIn.RequireConfirmedEmail = true;
})
.AddEntityFrameworkStores<ApplicationDBContext>()
.AddUserManager<AppUserManager>()
//.AddSignInManager<AppSignInManager>()
.AddErrorDescriber<AppErrorDescriberService>()
.AddDefaultTokenProviders();
services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(finalConfig.IdentityResources)
.AddInMemoryApiResources(finalConfig.Apis)
.AddInMemoryClients(finalConfig.Clients)
.AddAspNetIdentity<User>()
.AddResourceOwnerValidator<AppIdentityPasswordValidator<User>>();
}
这是我来自访问令牌的有效载荷
{
"nbf": 1597823415,"exp": 1597827015,"iss": "https://localhost:5000","aud": "MadPay","client_id": "angular","sub": "1","auth_time": 1597823413,"idp": "local","name": "osali","scope": [
"MadPay","offline_access"
],"amr": [
"pwd"
]
}
对于呼叫Api,请使用以下网址:https:// localhost:5000 / ... 并在授权标头中发送令牌:承载....
我认为已颁发访问令牌不是问题。 我花了几天时间,无法理解为什么不起作用,非常困惑出什么毛病了!
谢谢??
解决方法
您可以将所有令牌验证参数设置为false,然后逐个启用它们,以查看触发错误的原因。
options.TokenValidationParameters.ValidateAudience = false;
options.TokenValidationParameters.ValidateIssuer = false;
options.TokenValidationParameters.ValidateIssuerSigningKey = false;
options.TokenValidationParameters.ValidateLifetime = false;
options.TokenValidationParameters.ValidateTokenReplay = false;
您还可以尝试启用以下功能,并检查来自邮递员或Fiddler中API的响应。
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
如何保护API控制器?您是否使用任何授权策略?
在启动API时,不应使用IdentityServer,而应使用AddMyJwtBearer方法。在您的configure方法中,您应该使用:
app.UseAuthentication();
app.UseAuthorization();
这是典型API的示例startup.cs类:
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application,visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMyJwtBearer(options =>
{
options.Audience = "payment";
options.Authority = "https://localhost:6001/";
//True if token validation errors should be returned to the caller.
options.IncludeErrorDetails = true;
//If the signing key is not found,do a refresh from the JWKS endpoint
//This allows for automatic recovery in the event of a key rollover
options.RefreshOnIssuerKeyNotFound = true;
//Gets or sets if HTTPS is required for the metadata address or authority.
//Should always be true in production!
options.RequireHttpsMetadata = true;
//True if the token should be stored in the AuthenticationProperties
//after a successful authorization.
options.SaveToken = true;
//Parameters
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(5);
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app,IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
您在以下位置不见了:-
app.UseAuthentication();
app.UseAuthorization();
您能在api的 startup.cs 配置方法中添加以上内容并尝试一下吗?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。