问题描述
正如标题所述,获得:
“ IDX10609:解密失败。未尝试任何密钥:令牌:“ System.String”。”
尝试进行身份验证时出错。将Openiddict用于身份验证服务器。我确定我或api服务器中的配置错误,但是我不知道是什么。我一直在尝试不同的组合,但此刻一直停留。这是身份验证服务器配置:
public void ConfigureServices(IServiceCollection services) {
services.AddDbContext<TrustContext>(options =>
{
options.UsesqlServer(Configuration.GetConnectionString("Trust"),b => b.MigrationsAssembly("Application.Trust"));
options.USEOpenIddict();
});
services.AddDefaultIdentity<AspNetUsers>()
.AddEntityFrameworkStores<TrustContext>()
.AddDefaultTokenProviders();
services.Configure<IdentityOptions>(options =>
{
options.ClaimsIdentity.UserNameClaimType = Claims.Name;
options.ClaimsIdentity.UserIdClaimType = Claims.Subject;
options.ClaimsIdentity.RoleClaimType = Claims.Role;
});
services.AddOpenIddict()
// Register the OpenIddict core components.
.AddCore(options =>
{
options.UseEntityFrameworkCore()
.UseDbContext<TrustContext>();
})
.AddServer(options =>
{
options.IgnoreEndpointPermissions()
.IgnoreGrantTypePermissions()
.IgnoreScopePermissions();
// Enable the authorization,logout,token and userinfo endpoints.
options.SetAuthorizationEndpointUris("/connect/authorize")
.SetlogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo");
options.RegisterScopes(Scopes.Email,Scopes.Profile,Scopes.Roles,Scopes.OpenId);
options.AllowAuthorizationCodeFlow()
.AllowPasswordFlow()
.AllowImplicitFlow()
.AllowHybridFlow()
.AllowRefreshTokenFlow();
options.AddDevelopmentEncryptionCertificate()
.AddDevelopmentSigningCertificate();
options.AcceptAnonymousClients();
options.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnablelogoutEndpointPassthrough()
.EnabletokenEndpointPassthrough()
.EnableuserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(options =>
{
options.UseLocalServer();
options.UseAspNetCore();
});
API服务器配置:
IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>($"https://localhost:44395/.well-kNown/openid-configuration",new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = configurationManager.GetConfigurationAsync(CancellationToken.None).Result;
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.IncludeErrorDetails = true;
options.TokenValidationParameters.ValidateIssuer = true;
options.TokenValidationParameters.ValidateAudience = false;
options.TokenValidationParameters.ValidateIssuerSigningKey = false;
options.TokenValidationParameters.Validissuer = "https://localhost:44395";
options.TokenValidationParameters.ValidAudiences = new[] { "resource_server_1" };
options.TokenValidationParameters.IssuerSigningKeys = openIdConfig.SigningKeys;
options.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = c =>
{
c.noresult();
c.Response.StatusCode = 500;
c.Response.ContentType = "text/plain";
return c.Response.WriteAsync("An error occured processing your authentication. " + c.Exception.Message);
}
};
});
我已经将它与作为身份验证服务器的keycloak一起使用,但是当我切换到OpenIddict时,我遇到了以上错误。我认为我可能缺少签名密钥,或者我的配置/客户端配置有问题吗?
解决方法
在OpenIddict 3.0中,默认情况下对访问令牌进行加密。要解决您遇到的错误,您可以执行以下操作之一:
-
在JWT处理程序选项(
Submitting job(s)ERROR at Queue statement on Line 13: $INT() macro: 50+ $((0/41)) does not evaluate to an integer!)中注册加密密钥。 -
禁用访问令牌加密:
options.TokenValidationParameters.TokenDecryptionKey注意:在3.0中,推荐的选项是使用OpenIddict验证处理程序,而不是Microsoft开发的JWT处理程序。