内省时出现AspNet.Security.OAuth.Extensions错误 [英] AspNet.Security.OAuth.Extensions Error while introspection
问题描述
我正在使用asp.net core 2.0,AspNet.Security.OpenIdConnect.Server和AspNet.Security.OAuth.Extensions编写测试应用程序.我遇到了访问令牌自省的问题. 当我从/connect/token获取令牌并将其发送到资源服务器时,在服务器中出现以下错误:
I'am writing a test application with asp.net core 2.0, AspNet.Security.OpenIdConnect.Server and AspNet.Security.OAuth.Extensions. I ran into a problem with introspection of the access token. When I get my token from /connect/token and send it to my resource server I get the following errors in my server:
fail: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerHandler[0]
The introspection request was rejected with the following error: invalid_request ; (null)
info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerHandler[0]
The introspection response was successfully returned: {
"error": "invalid_request"
}
在我的资源服务器中:
fail: AspNet.Security.OAuth.Introspection.OAuthIntrospectionHandler[0]
An error occurred while validating an access token: the remote server returned a BadRequest response with the following payload: Date: Sat, 21 Oct 2017 17:11:50 GMT
Server: Kestrel
{"error":"invalid_request"}.
info: AspNet.Security.OAuth.Introspection.OAuthIntrospectionHandler[7]
Bearer was not authenticated. Failure message: Authentication failed because the authorization server rejected the access token.
这是资源服务器(WebApi)的启动"类中的ConfigureServices方法:
This is ConfigureServices method from my Startup class of my resource server (WebApi):
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication().AddOAuthIntrospection(
options =>
{
options.Authority = new Uri("http://localhost:64855/");
options.Audiences.Add("resource_server");
options.ClientId = "client_id";
options.ClientSecret = "client_secret";
options.RequireHttpsMetadata = false;
});
services.AddMvc();
}
这是我在资源服务器中受AuthorizeAttribute控制器保护的
This is my protected by AuthorizeAttribute controller in resource server:
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
public class ValuesController : Controller
{
[HttpGet]
public IEnumerable<string> Get()
{
return new string[] {"value1", "value2"};
}
}
这是身份验证服务器中的启动类:
This is Startup class in auth server:
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(
options =>
{
options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
})
.AddOAuthValidation(
options =>
{
options.Audiences.Add("resource_server");
});
services.AddAuthentication().AddOpenIdConnectServer(options =>
{
options.TokenEndpointPath = "/connect/token";
options.IntrospectionEndpointPath = "/connect/introspect";
options.AllowInsecureHttp = true;
options.ApplicationCanDisplayErrors = true;
options.Provider.OnValidateTokenRequest = context =>
{
if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this server.");
return Task.CompletedTask;
}
if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
{
context.Validate();
}
return Task.CompletedTask;
};
options.Provider.OnHandleTokenRequest = context =>
{
if (context.Request.IsPasswordGrantType())
{
if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return Task.CompletedTask;
}
var identity = new ClaimsIdentity(context.Scheme.Name,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");
identity.AddClaim("urn:customclaim", "value",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
ticket.SetScopes(
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess);
context.Validate(ticket);
}
return Task.CompletedTask;
};
});
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
在我看来,配置服务器和客户端时我在某处错过了一些东西,但是我不知道在哪里. 也许我只是做错了什么. 也许我应该自己实施自省方法...不知道( 我已经尝试覆盖OpenIdServerConnectProvider中的方法,但最后没有任何反应.
It seems to me that I somewhere missed something when configuring the server and the client, but I can not understand where. Or maybe I'm just doing something wrong. Maybe, I should implement introspect method by myself... don't know( I already tried to override methods in OpenIdServerConnectProvider, but nothing happened in the end.
请告诉我是什么问题或我做错了什么. 谢谢.
Tell me please what can be the problem or what I did wrong. Thanks.
UPD:经过所有修复,感谢Pinpoint,这是我的可行解决方案: https://github.com/mstya/Introspection.Sample 希望对您有所帮助.
UPD: after all fixes, thanks to Pinpoint, this is my working solution: https://github.com/mstya/Introspection.Sample I hope it helps someone.
推荐答案
或者也许我只是做错了什么.也许,我应该自己实现自省方法……不知道(我已经尝试重写OpenIdServerConnectProvider中的方法,但最后没有任何反应.
Or maybe I'm just doing something wrong. Maybe, I should implement introspect method by myself... don't know( I already tried to override methods in OpenIdServerConnectProvider, but nothing happened in the end.
您忘记实现ValidateIntrospectionRequest
事件.就像ValidateTokenRequest
一样,您必须验证客户端凭据,如果有效,则调用context.Validate()
.
You forgot to implement the ValidateIntrospectionRequest
event. Just like ValidateTokenRequest
, you have to validate the client credentials and call context.Validate()
if they are valid.
这篇关于内省时出现AspNet.Security.OAuth.Extensions错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!