使用OpenIdDict时不允许使用“ offline_access”范围

编程问答 2022-06-03

问题描述

将Asp.Net Core 5.0与Identity和OpenIdDict结合使用时,我具有以下特点:

  services.AddOpenIddict()
  
    .AddCore(x => {
      x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application,Authorization,Scope,Token,Int32>();
    })

    .AddServer(x => {

      x.SetAuthorizationEndpointUris("/connect/authorize")
       .SetlogoutEndpointUris("/connect/logout")
       .SetTokenEndpointUris("/connect/token")
       .SetUserinfoEndpointUris("/connect/userinfo");

      x.RegisterScopes(OpenIddictConstants.Scopes.Profile,OpenIddictConstants.Scopes.Email,OpenIddictConstants.Scopes.OfflineAccess);

      x.AllowAuthorizationCodeFlow();

      x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();

      x.UseAspNetCore()
       .EnableAuthorizationEndpointPassthrough()
       .EnablelogoutEndpointPassthrough()
       .EnabletokenEndpointPassthrough()
       .EnableuserinfoEndpointPassthrough()
       .EnableStatusCodePagesIntegration();

    })

    .AddValidation(x => {
      x.UseLocalServer();
      x.UseAspNetCore();
    });

我有以下客户端:

  OpenIddictApplicationDescriptor spa = new OpenIddictApplicationDescriptor {
    ClientId = "spa",ClientSecret = "secret",ConsentType = OpenIddictConstants.ConsentTypes.Implicit,PostlogoutRedirectUris = {
      new Uri("https://localhost:5002/oidc-signout")
    },RedirectUris = {
      new Uri("https://localhost:5002/oidc-signin"),new Uri("https://localhost:5002/oidc-silent-refresh")
    },Permissions = {
      OpenIddictConstants.Permissions.Endpoints.Authorization,OpenIddictConstants.Permissions.Endpoints.logout,OpenIddictConstants.Permissions.Endpoints.Token,OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,OpenIddictConstants.Permissions.GrantTypes.RefreshToken,OpenIddictConstants.Permissions.ResponseTypes.Code,OpenIddictConstants.Permissions.Scopes.Email,OpenIddictConstants.Permissions.Scopes.Profile,OpenIddictConstants.Permissions.Prefixes.Scope + "api"
    },Requirements = {
      OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange
    }
  };

在Angular Spa客户端应用程序上,我正在使用以下配置:

const settings: UserManagerSettings = {
  automaticSilentRenew: true,authority: "https://localhost:5000",client_id: 'spa',client_secret: 'secret',filterProtocolClaims: true,loadUserInfo: true,post_logout_redirect_uri: "https://localhost:5002/oidc-signout",redirect_uri: "https://localhost:5002/oidc-signin",response_mode: 'query',response_type: 'code',scope: 'openid profile email offline_access api',silent_redirect_uri: 'https://localhost:5002/oidc-silent-refresh'
};

当我单击SPA登录时,我被重定向并收到错误消息:

The 'offline_access' scope is not allowed.

如果我不带'offline_access'使用它,那么一切正常,例如:

scope: 'openid profile email api'

我想念什么?

解决方法

应该先启用刷新令牌流,然后才能使用offline_access范围。

在您的Startup.cs中,您应更改以下行:
x.AllowAuthorizationCodeFlow();
变成这样的东西:
x.AllowAuthorizationCodeFlow().AllowRefreshTokenFlow();

还有一个GitHub issue与您的问题有关。

asp.net-coreasp.net-core-5.0openiddict