问题描述
将Asp.Net Core 5.0与Identity和OpenIdDict结合使用时,我具有以下特点:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application,Authorization,Scope,Token,Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetlogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile,OpenIddictConstants.Scopes.Email,OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnablelogoutEndpointPassthrough()
.EnabletokenEndpointPassthrough()
.EnableuserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
我有以下客户端:
OpenIddictApplicationDescriptor spa = new OpenIddictApplicationDescriptor {
ClientId = "spa",ClientSecret = "secret",ConsentType = OpenIddictConstants.ConsentTypes.Implicit,PostlogoutRedirectUris = {
new Uri("https://localhost:5002/oidc-signout")
},RedirectUris = {
new Uri("https://localhost:5002/oidc-signin"),new Uri("https://localhost:5002/oidc-silent-refresh")
},Permissions = {
OpenIddictConstants.Permissions.Endpoints.Authorization,OpenIddictConstants.Permissions.Endpoints.logout,OpenIddictConstants.Permissions.Endpoints.Token,OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,OpenIddictConstants.Permissions.GrantTypes.RefreshToken,OpenIddictConstants.Permissions.ResponseTypes.Code,OpenIddictConstants.Permissions.Scopes.Email,OpenIddictConstants.Permissions.Scopes.Profile,OpenIddictConstants.Permissions.Prefixes.Scope + "api"
},Requirements = {
OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange
}
};
在Angular Spa客户端应用程序上,我正在使用以下配置:
const settings: UserManagerSettings = {
automaticSilentRenew: true,authority: "https://localhost:5000",client_id: 'spa',client_secret: 'secret',filterProtocolClaims: true,loadUserInfo: true,post_logout_redirect_uri: "https://localhost:5002/oidc-signout",redirect_uri: "https://localhost:5002/oidc-signin",response_mode: 'query',response_type: 'code',scope: 'openid profile email offline_access api',silent_redirect_uri: 'https://localhost:5002/oidc-silent-refresh'
};
The 'offline_access' scope is not allowed.
如果我不带'offline_access'使用它,那么一切正常,例如:
scope: 'openid profile email api'
我想念什么?
解决方法
应该先启用刷新令牌流,然后才能使用offline_access范围。
在您的Startup.cs
中,您应更改以下行:x.AllowAuthorizationCodeFlow();
变成这样的东西:x.AllowAuthorizationCodeFlow().AllowRefreshTokenFlow();
还有一个GitHub issue与您的问题有关。