问题描述
我一直在使用 Asp.Net Core 和 IdentityServer4 在带有IIS的AWS Windows VM下运行Web API。 Identity Server在我的安全控制器的同一应用程序上运行。 使用我的外部域“ http:// {my-external-domain}”,此程序运行正常,没有问题。
我的StartUp.cs相关部分如下所示:
.AddJwtBearer(options =>
{
options.Authority = xyzConfig.Authority; //http://{my-external-domain}
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
我正在使用http:// {my-external-domain} / connect / token,然后可以成功请求授权内容。
但是,当使用 AWS PrivateLink 设置此流时,某些组合不起作用,包括所需的http:// {my-internal-domain}作为发行者/授权者和受保护的者之一控制器。
IOException: IDX20804: Unable to retrieve document from: 'http://{my-internal-domain}/.well-kNown/openid-configuration'.
但是,可以在同一台计算机上检索此信息:
{
"issuer": "http://{my-internal-domain}","jwks_uri": "http://{my-internal-domain}/.well-kNown/openid-configuration/jwks","authorization_endpoint": "http://{my-internal-domain}/connect/authorize","token_endpoint": "http://{my-internal-domain}/connect/token","userinfo_endpoint": "http://{my-internal-domain}/connect/userinfo","end_session_endpoint": "http://{my-internal-domain}/connect/endsession","check_session_iframe": "http://{my-internal-domain}/connect/checksession","revocation_endpoint": "http://{my-internal-domain}/connect/revocation","introspection_endpoint": "http://{my-internal-domain}/connect/introspect","device_authorization_endpoint": "http://{my-internal-domain}/connect/deviceauthorization","frontchannel_logout_supported": true,"frontchannel_logout_session_supported": true,"backchannel_logout_supported": true,"backchannel_logout_session_supported": true,"scopes_supported": [
"openid","email","profile","xyz","offline_access"
],"claims_supported": [
"sub","email_verified","name","family_name","given_name","middle_name","nickname","preferred_username","picture","website","gender","birthdate","zoneinfo","locale","updated_at"
],"grant_types_supported": [
"authorization_code","client_credentials","refresh_token","implicit","password","urn:ietf:params:oauth:grant-type:device_code"
],"response_types_supported": [
"code","token","id_token","id_token token","code id_token","code token","code id_token token"
],"response_modes_supported": [
"form_post","query","fragment"
],"token_endpoint_auth_methods_supported": [
"client_secret_basic","client_secret_post"
],"subject_types_supported": [
"public"
],"id_token_signing_alg_values_supported": [
"RS256"
],"code_challenge_methods_supported": [
"plain","S256"
],"request_parameter_supported": true
}
当我将StartUp.cs设置更改为以下内容时:
var key = System.Text.Encoding.ASCII.GetBytes(xyzConfig.Secret);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
//options.Authority = xyzConfig.Authority;
options.Audience = "xyz";
options.RequireHttpsMetadata = false;
options.Savetoken = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuerSigningKey = true,IssuerSigningKey = new Microsoft.IdentityModel.Tokens.SymmetricSecurityKey(key),ValidateIssuer = false,ValidateAudience = false
};
});
现在我在响应标头中得到401并显示以下消息:
Bearer error="invalid_token",error_description="The signature key was not found"
这很有趣,因为在jsonwebtoken.io中解析时,此处使用的令牌似乎有效:
{
"nbf": 1602077163,"exp": 1602080774,"iss": "http://{my-internal-domain}","aud": [
"http://{my-internal-domain}/resources","xyz"
],"client_id": "789456","sub": "23de9244-86ba-4553-845f-1cbe6bac0536","auth_time": 1602077162,"idp": "local","given_name": "gname","email": "email@white.com","scope": [
"openid","amr": [
"pwd"
],"jti": "921552fd-da9b-49b0-98a6-c7c0dcb2d865","iat": 1602077174
}
Signing Key Verified还附带了该功能,所以现在我不知道现在应该走哪条路,是否无论如何我们都可以使用 AWS PrivateLink 使用其 >网络负载平衡器(NLB)
如果需要其他任何信息,我们将很乐意在此处提供。 感谢您的任何帮助,谢谢!
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)