内省时出现AspNet.Security.OAuth.Extensions错误 [英] AspNet.Security.OAuth.Extensions Error while introspection

问题描述

我正在使用asp.net core 2.0，AspNet.Security.OpenIdConnect.Server和AspNet.Security.OAuth.Extensions编写测试应用程序.我遇到了访问令牌自省的问题. 当我从/connect/token获取令牌并将其发送到资源服务器时，在服务器中出现以下错误:

I'am writing a test application with asp.net core 2.0, AspNet.Security.OpenIdConnect.Server and AspNet.Security.OAuth.Extensions. I ran into a problem with introspection of the access token. When I get my token from /connect/token and send it to my resource server I get the following errors in my server:

fail: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerHandler[0]
      The introspection request was rejected with the following error: invalid_request ; (null)
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerHandler[0]
      The introspection response was successfully returned: {
        "error": "invalid_request"
      }

在我的资源服务器中:

fail: AspNet.Security.OAuth.Introspection.OAuthIntrospectionHandler[0]
      An error occurred while validating an access token: the remote server returned a BadRequest response with the following payload: Date: Sat, 21 Oct 2017 17:11:50 GMT
      Server: Kestrel
       {"error":"invalid_request"}.
info: AspNet.Security.OAuth.Introspection.OAuthIntrospectionHandler[7]
      Bearer was not authenticated. Failure message: Authentication failed because the authorization server rejected the access token.

这是资源服务器(WebApi)的启动"类中的ConfigureServices方法:

This is ConfigureServices method from my Startup class of my resource server (WebApi):

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication().AddOAuthIntrospection(
        options =>
        {
            options.Authority = new Uri("http://localhost:64855/");
            options.Audiences.Add("resource_server");
            options.ClientId = "client_id";
            options.ClientSecret = "client_secret";
            options.RequireHttpsMetadata = false;
        });
    services.AddMvc();
}

这是我在资源服务器中受AuthorizeAttribute控制器保护的

This is my protected by AuthorizeAttribute controller in resource server:

[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
public class ValuesController : Controller
{
    [HttpGet]
    public IEnumerable<string> Get()
    {
        return new string[] {"value1", "value2"};
    }
}

这是身份验证服务器中的启动类:

This is Startup class in auth server:

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(
                options =>
                {
                    options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
                })
            .AddOAuthValidation(
                options =>
                {
                    options.Audiences.Add("resource_server");
                });

        services.AddAuthentication().AddOpenIdConnectServer(options =>
        {
            options.TokenEndpointPath = "/connect/token";
            options.IntrospectionEndpointPath = "/connect/introspect";
            options.AllowInsecureHttp = true;
            options.ApplicationCanDisplayErrors = true;
            options.Provider.OnValidateTokenRequest = context =>
            {
                if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
                {
                    context.Reject(
                        error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
                        description: "Only grant_type=password and refresh_token " +
                                     "requests are accepted by this server.");

                    return Task.CompletedTask;
                }

                if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
                    string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
                {
                    context.Validate();
                }

                return Task.CompletedTask;
            };

            options.Provider.OnHandleTokenRequest = context =>
            {
                if (context.Request.IsPasswordGrantType())
                {
                    if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
                        !string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
                    {
                        context.Reject(
                            error: OpenIdConnectConstants.Errors.InvalidGrant,
                            description: "Invalid user credentials.");

                        return Task.CompletedTask;
                    }

                    var identity = new ClaimsIdentity(context.Scheme.Name,
                        OpenIdConnectConstants.Claims.Name,
                        OpenIdConnectConstants.Claims.Role);

                    identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");

                    identity.AddClaim("urn:customclaim", "value",
                        OpenIdConnectConstants.Destinations.AccessToken,
                        OpenIdConnectConstants.Destinations.IdentityToken);

                    var ticket = new AuthenticationTicket(
                        new ClaimsPrincipal(identity),
                        new AuthenticationProperties(),
                        context.Scheme.Name);

                    ticket.SetScopes(
                        OpenIdConnectConstants.Scopes.Profile,
                        OpenIdConnectConstants.Scopes.OfflineAccess);

                    context.Validate(ticket);
                }

                return Task.CompletedTask;
            };
        });

        services.AddMvc();
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseBrowserLink();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();
        app.UseAuthentication();
        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }
}

在我看来，配置服务器和客户端时我在某处错过了一些东西，但是我不知道在哪里. 也许我只是做错了什么. 也许我应该自己实施自省方法...不知道( 我已经尝试覆盖OpenIdServerConnectProvider中的方法，但最后没有任何反应.

It seems to me that I somewhere missed something when configuring the server and the client, but I can not understand where. Or maybe I'm just doing something wrong. Maybe, I should implement introspect method by myself... don't know( I already tried to override methods in OpenIdServerConnectProvider, but nothing happened in the end.

请告诉我是什么问题或我做错了什么. 谢谢.

Tell me please what can be the problem or what I did wrong. Thanks.

UPD:经过所有修复，感谢Pinpoint，这是我的可行解决方案: https://github.com/mstya/Introspection.Sample 希望对您有所帮助.

UPD: after all fixes, thanks to Pinpoint, this is my working solution: https://github.com/mstya/Introspection.Sample I hope it helps someone.

推荐答案

或者也许我只是做错了什么.也许，我应该自己实现自省方法……不知道(我已经尝试重写OpenIdServerConnectProvider中的方法，但最后没有任何反应.

Or maybe I'm just doing something wrong. Maybe, I should implement introspect method by myself... don't know( I already tried to override methods in OpenIdServerConnectProvider, but nothing happened in the end.

您忘记实现ValidateIntrospectionRequest事件.就像ValidateTokenRequest一样，您必须验证客户端凭据，如果有效，则调用context.Validate().

You forgot to implement the ValidateIntrospectionRequest event. Just like ValidateTokenRequest, you have to validate the client credentials and call context.Validate() if they are valid.

这篇关于内省时出现AspNet.Security.OAuth.Extensions错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！