问题描述
基于 OpenIddict 的身份服务器在其自己的 [授权] 控制器中验证令牌,但在通过 /introspect 端点从另一个资源服务器访问时拒绝令牌。
在开发机器上一切正常。这是在将服务部署到 Linux 服务器后发生的,该服务器托管在同一台机器的不同端口上。
这是我日志中的实际异常:
java.time.Duration
设置与此类似: https://github.com/openiddict/openiddict-samples/blob/dev/samples/Zirku/Zirku.Server/Startup.cs
这是我的 openiddict 设置:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidissuerException: IDX10205: Issuer validation Failed. Issuer: 'System.String'. Did not match: validationParameters.Validissuer: 'System.String' or validationParameters.Validissuers: 'System.String'.
这是我的 API 上的设置:
services.AddOpenIddict()
.AddCore(options =>
{
// Configure OpenIddict to use the Entity Framework Core stores and models.
// Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>();
}).AddServer(options =>
{
// Enable the authorization,logout,token and userinfo endpoints.
options.SetAuthorizationEndpointUris("/connect/authorize")
.SetlogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetIntrospectionEndpointUris("/connect/introspect")
.SetUserinfoEndpointUris("/connect/userinfo");
// Mark the "email","profile" and "roles" scopes as supported scopes.
options.RegisterScopes(OpenIddictConstants.Scopes.Email,OpenIddictConstants.Scopes.Profile,OpenIddictConstants.Scopes.Roles);
// Note: this sample only uses the authorization code flow but you can enable
// the other flows if you need to support implicit,password or client credentials.
options.AllowAuthorizationCodeFlow().RequireProofKeyForCodeExchange();
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
// Register the signing and encryption credentials.
options.AddDevelopmentEncryptionCertificate();
// .AddDevelopmentSigningCertificate();
// Encryption and signing of tokens
options.AddEphemeralEncryptionKey()
.AddEphemeralSigningKey();
options.RegisterScopes(ApplicationConstants.MobileApiResource);
options.SetAccesstokenLifetime(TimeSpan.FromMinutes(5));
options.SetIdentityTokenLifetime(TimeSpan.FromMinutes(15));
options.SetRefreshTokenLifetime(TimeSpan.FromHours(1));
// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
options.UseAspNetCore()
//todo remove the disable transport layer security
.disableTransportSecurityRequirement()
.EnableAuthorizationEndpointPassthrough()
.EnablelogoutEndpointPassthrough()
.EnabletokenEndpointPassthrough()
.EnableuserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
options.disableAccesstokenEncryption();
})
.AddValidation(options =>
{
// Import the configuration from the local OpenIddict server instance.
options.UseLocalServer();
// Register the ASP.NET Core host.
options.UseAspNetCore();
});
解决方法
最后,在我前辈的帮助下,我们能够诊断出问题。此问题与 nginx 有关。
服务器只返回颁发者域地址而不返回端口,它返回 xyz.com 作为颁发者而不是实际颁发者地址 xyz.com:5001
正确的解决方法是调整nginx conf proxy的Host header指令。
改变了这个:
proxy_set_header Host $host;
为此:
proxy_set_header Host $http_host;
还将其添加到身份服务器的 Startup.cs 中:
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});