问题描述
使用Asp.Net Core 5和OpenIdDict,我可以配置授权代码和客户端凭据:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application,Authorization,Scope,Token,Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetlogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo")
.SetIntrospectionEndpointUris("/.well-kNown/openid-configuration");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile,OpenIddictConstants.Scopes.Email,OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow()
.AllowRefreshTokenFlow()
.AllowClientCredentialsFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnablelogoutEndpointPassthrough()
.EnabletokenEndpointPassthrough()
.EnableuserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
在API上,我有:
services.AddOpenIddict()
.AddValidation(x => {
x.SetIssuer("https://localhost:5000");
x.AddAudiences("api");
x.UseIntrospection().SetClientId("api").SetClientSecret("SecretAPI");
x.UseSystemNetHttp();
x.UseAspNetCore();
});
然后我有了客户端和API应用程序:
OpenIddictApplicationDescriptor mvc = new OpenIddictApplicationDescriptor {
ClientId = "mvc",ClientSecret = "SecretMVC",ConsentType = OpenIddictConstants.ConsentTypes.Explicit,Permissions = {
OpenIddictConstants.Permissions.Endpoints.Token,OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,OpenIddictConstants.Permissions.Prefixes.Scope + "api"
}
};
OpenIddictApplicationDescriptor api = new OpenIddictApplicationDescriptor {
ClientId = "api",ClientSecret = "SecretAPI",Permissions = {
OpenIddictConstants.Permissions.Endpoints.Introspection
}
};
我可以使用Insomnia Rest Client和Client Credentials获得访问令牌。
Bearer error = "invalid_token",error_description = "The specified token is invalid."
为什么会这样?
更新
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationdispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+HandleErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext,OpenIddict.Validation,Version=3.0.0.0,Culture=neutral,PublicKeyToken=35a561290d20de2f]].
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationdispatcher
An error occurred while introspecting the token.
OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the introspection response.
Error: invalid_request
Error description: The specified HTTP method is not valid.
Error URI:
at OpenIddict.Validation.OpenIddictValidationService.<>c__displayClass5_0.<<IntrospectTokenAsync>g__HandleIntrospectionResponseAsync|3>d.MoveNext()
--- End of stack trace from prevIoUs location ---
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address,String token,String type,CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address,CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationHandlers.IntrospectToken.HandleAsync(ProcessAuthenticationContext context)
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationdispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.
解决方法
您将自省端点配置为与OIDC提供程序配置端点共享相同的地址,这可以防止将自省请求识别为有效的POST请求。
修复SetIntrospectionEndpointUris("/.well-known/openid-configuration")
以使用其他地址,它应该可以正常工作。