ASP.NET Core Openiddict抛出“无法从此终结点返回OpenID Connect响应". [英] ASP.NET Core Openiddict throws "An OpenID Connect response cannot be returned from this endpoint"

查看:234
本文介绍了ASP.NET Core Openiddict抛出“无法从此终结点返回OpenID Connect响应".的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用来自 https:的密码流按照openiddict服务器示例中的说明进行操作://github.com/openiddict/openiddict-samples/tree/master/samples/PasswordFlow 但没有成功.

I follow instruction in openiddict server example using password flow from https://github.com/openiddict/openiddict-samples/tree/master/samples/PasswordFlow but have no success.

它引发 InvalidOperationException:无法从此端点在路径/connect/token 上返回OpenID Connect响应:

It throws InvalidOperationException: An OpenID Connect response cannot be returned from this endpoint at route /connect/token:

return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);

邮递员参数:

  • 内容类型: application/x-www-form-urlencoded
  • 参数:用户名= ..& password = ...& grantType = password& scope = offline_access + profile + email
  • Content-Type: application/x-www-form-urlencoded
  • Params: username=..&password=...&grantType=password&scope=offline_access+profile+email

我花了一整天的时间进行研究,但没有有关无法从此终结点返回异常的信息.除了我之外,很多人都可以运行openiddict示例.

I spent my day for researching but there is no information about cannot be returned from this endpoint exception. And many people can run openiddict example except me.

这是Startup.cs的一部分:

Here is apart of Startup.cs:

services.AddEntityFrameworkSqlite()
    .AddDbContext<MisapayContext>(options =>
    {
        options.UseOpenIddict<int>();
    });

    //....

    services.AddOpenIddict<int>()
    .AddEntityFrameworkCoreStores<MisapayContext>()
    .DisableHttpsRequirement()
    .EnableTokenEndpoint("/connect/token")
    .EnableLogoutEndpoint("/connect/logout")
    .EnableUserinfoEndpoint("/connect/userinfo")
    .UseJsonWebTokens()
    .AllowPasswordFlow()
    .AllowRefreshTokenFlow()
    .AddEphemeralSigningKey();

services.AddMvc(config =>
{
    config.Filters.Add(new ApiExceptionFilter());
}).AddJsonOptions(options =>
{
    options.SerializerSettings.Formatting = Newtonsoft.Json.Formatting.Indented;
    options.SerializerSettings.DateTimeZoneHandling = Newtonsoft.Json.DateTimeZoneHandling.Local;
});

我认为问题是 OpenIdConnectRequest ,如果使用,则无法绑定它:

Edited: I think problem is OpenIdConnectRequest, it can not be binded if use:

OpenIddictBuiler.AddMvcBinders()

将引发OpenID Connect请求无法从ASP.NET上下文中检索.

Will throws The OpenID Connect request cannot be retrieved from the ASP.NET context.`

否则,将其删除,可以正确获得AuthorizationController中的OpenIdConnectRequest.而且我可以获取请求信息,例如用户名,密码grantType等...奇怪...对吗?

Otherwise, remove it, OpenIdConnectRequest in AuthorizationController can get properly. And I can get request information such as username, password grantType etc... Strange... right?

其他一些信息:

  • Asp.net Core SDK 1.1
  • Project.json : https://gist.github.com/trinvh/47f29468887c209716098bc4c76181a7
  • Startup.cs: https://gist.github.com/trinvh/75b7a12fbee754d0ea8cf251f2da9fe9
  • AuthorizationController.cs: https://gist.github.com/trinvh/089015b2573cae550856631e72b81374

任何帮助将不胜感激!

推荐答案

好的,这是正在发生的事情:

Okay, here's what's happening:

  • 您已将OpenIddict配置为使用/connect/token作为令牌端点地址.
  • 您通过邮递员发送的令牌请求指向/connect/token/,这实际上是一个完全不同的URL(/connect/token!= /connect/token/).
  • 由于地址与注册的端点路径不同,因此OpenIddict不处理该请求,并拒绝将其视为令牌请求.
  • 由于某些原因,即使路由与请求的URL不匹配,MVC也会接受处理您的/connect/token/请求并调用Exchange操作.
  • 由于尚未在MVC选项中注册OpenIddict MVC绑定程序,因此MVC使用其默认绑定程序构造OpenIdConnectRequest对象,该对象允许将OpenIdConnectRequest.GrantType参数从无效的grantType参数解析(它专用的OpenIddict资料夹不会发生这种情况.
  • 您的令牌终结点操作最终调用SignIn以返回令牌响应.
  • 在幕后,OpenIddict检测到您在常规令牌请求处理之外调用了SignIn-因为由于路径差异,它不将请求视为令牌请求-并通过抛出InvalidOperationException.
  • You've configured OpenIddict to use /connect/token as the token endpoint address.
  • The token request you send via Postman points to /connect/token/, which is actually a totally different URL (/connect/token != /connect/token/).
  • Since the address differs from the registered endpoint path, OpenIddict doesn't handle the request and refuses to consider it as a token request.
  • For some reasons, MVC accepts to handle your /connect/token/ request and invokes the Exchange action, even though the route doesn't match the requested URL.
  • Since you haven't registered the OpenIddict MVC binder in the MVC options, MVC uses its default binder to construct the OpenIdConnectRequest object, which allows the OpenIdConnectRequest.GrantType parameter to be resolved from the invalid grantType parameter (it wouldn't happen with the dedicated OpenIddict binder).
  • Your token endpoint action ends up calling SignIn to return a token response.
  • Under the hood, OpenIddict detects that you called SignIn outside the normal token request processing - since it didn't consider the request as a token request, due to the paths difference - and aborts this unsafe operation by throwing an InvalidOperationException.

我将对MVC人员进行ping操作,以确保他们知道此错误.

I'll ping the MVC folks to make sure they are aware of this bug.

经过一些研究,看来此行为是设计使然"的,并且是从ASP.NET MVC继承的.我打开了 aspnet/Mvc存储库中的功能请求,以添加一种新的使用方式严格比较"以进行路由匹配.

after some research, it looks like this behavior is "by design" and was inherited from ASP.NET MVC. I opened a feature request in the aspnet/Mvc repository to add a new way to use "strict comparison" for routes matching.

这篇关于ASP.NET Core Openiddict抛出“无法从此终结点返回OpenID Connect响应".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆