如何解决IdentityServer4始终返回“错误”:“ invalid_scope”
我正在使用IdentityServer4(4.0.4),但是它不返回access_token,而是始终返回:"error": "invalid_scope"
仅通过添加以下代码以及Nuget包IdentityServer4(4.0.4)和IdentityServer4.EntityFramework(4.0.4),即可重新创建错误。在请求中添加“作用域”没有任何区别。
这是邮递员触发的端点:
这是我的Config类:
using IdentityServer4;
using IdentityServer4.Models;
using System.Collections.Generic;
using System.Linq;
namespace WebApplication1
{
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("ApiName","ApiDisplayName")
};
}
public static List<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),new IdentityResources.Profile() // <-- usefull
};
}
public static IEnumerable<Client> GetClients()
{
return new[]
{
// for public api
new Client
{
ClientId = "secret_client_id",AllowedGrantTypes = GrantTypes.ClientCredentials,ClientSecrets =
{
new Secret("secret".Sha256())
},AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,IdentityServerConstants.StandardScopes.Profile,"ApiName"
}
}
};
}
}
}
这是我的Startup
班:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace WebApplication1
{
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application,visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddOperationalStore(options =>
{
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddInMemoryIdentityResources(Config.GetIdentityResources());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app,IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIdentityServer();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapGet("/",async context =>
{
await context.Response.WriteAsync("Hello World!");
});
});
}
}
}
解决方法
正如@DES PRO 提到的,您需要在配置文件中添加 ApiScope,如下所示。
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope(name: "ApiOne")
};
}
然后将作用域添加到 Startup.cs 类中的 ConfigureService。这回答了@raphael 的问题“Scopes 类在哪里使用?”
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddInMemoryApiResources(Configuration.GetApis())
.AddInMemoryClients(Configuration.GetClients())
.AddInMemoryApiScopes(Configuration.GetApiScopes())
.AddDeveloperSigningCredential();
services.AddControllersWithViews();
}
,
您必须在配置中添加ApiScope。在最新的IdentityServer4中进行了更改 就是这样:
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope(name: "read",displayName: "Read your data."),new ApiScope(name: "write",displayName: "Write your data."),new ApiScope(name: "delete",displayName: "Delete your data."),new ApiScope(name: "identityserverapi",displayName: "manage identityserver api endpoints.")
};
}
,
您必须始终包括 openid 范围,因为这是OpenID-Connect中的必需范围。
在IdentityServer中,StandardScopes在此处定义 https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/IdentityServerConstants.cs
但是实际上它只是一个字符串。因此,您可以使用“ openid”或IdentityServerConstants.StandardScopes.OpenId
,再次确认您的客户端没有查看ApiScopes
配置中未配置的范围。在下面的示例中,我的客户注册正在查看“ THIS_IS_AN_INVALID_SCOPE”,但实际上ApiScopes
中没有定义此范围。
public static class Scopes
{
public static IEnumerable<ApiScope> Get()
{
return new[]
{
new ApiScope("ProtectedResource.Scope1","Access to ProtectedResource.Scope1"),new ApiScope("ProtectedResource.Scope2","Access to ProtectedResource.Scope2")
};
}
}
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new List<Client>
{
new Client
{
ClientId = "IntegrationTests",ClientName = "Example client application using client credentials",AllowedGrantTypes = GrantTypes.ClientCredentials,ClientSecrets = new List<Secret> {new Secret("not_the_actual_password".Sha256())},AllowedScopes = new List<string> {"THIS_IS_AN_INVALID_SCOPE"},AccessTokenLifetime = 300 //5 Minutes
},};
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。