Identity Server未返回刷新令牌 [英] Identity Server not returning refresh token

问题描述

我试图设置Thinktecture的Identity Server 3，但是在交换授权代码(或使用ResourceOwner流)时，似乎无法让它返回刷新令牌.但是，我将重点介绍授权代码，因为它对我来说现在更重要).我获得了访问令牌，并且可以使用它们来进行身份验证，但是它似乎甚至没有生成我希望获得的刷新令牌.要使Identity Server返回刷新令牌，我需要做些特殊的事情吗?

I'm trying to set up Thinktecture's Identity Server 3, but I can't seem to get it to return a refresh token when exchanging an authorization code (or when using the ResourceOwner flow, but I'm going to focus on the authorization code as it's more important to me right now). I get back access tokens and can use them to authenticate just fine, but it doesn't seem to even be generating the refresh tokens that I'm expecting to get back. Is there anything special that I need to do to get Identity Server to return refresh tokens?

我已经阅读了文档，但是没有看到我设置有误的任何内容，这是他们在

I've looked through the documentation, but haven't seen anything that I've set up wrong, and the only thing on their page on refresh tokens that I'm not doing is explicitly requesting the "offline_access" scope when sending the user there for authentication, because whenever I try I get an "invalid scope" error. Therefore, I'm taking Thinktecture's phrasing of "Request the offline_access scope (via code or resource owner flow)" to mean that the offline_access scope is something automatically requested based on the flow you're using.

我一直在尝试遵循他们的示例应用程序(以及 Katana Project )，设置如下:

I've been trying to follow their sample applications (And the source code for the existing Owin Middleware from the Katana Project) as best I can, and my setup is as follows:

• 我已经使用其客户端类创建了一个客户端，并手动指定了以下内容:

• I've created a client using their client class, manually specifying the following:

var client = new Client()
{
    ClientId = "SomeId",
    ClientName = "Client with Authentication Code Flow",
    RequireConsent = false, //Setting this to true didn't help
    Flow = Flows.AuthorizationCode,
    ClientSecrets = new List() {
        new ClientSecret("secret")
    },
    RedirectUris = new List()
    {
        "localhost:/specific-redirect-path"
    }
};

我正在按如下所示呼叫Authorization端点:

I'm making a call to the Authorization endpoint as follows:

var authorizationEndpoint =
    AuthorizationEndpointBase +
    "?client_id=" + Uri.EscapeDataString(Options.ClientId) +
    "&scope=Default" +
    "&response_type=code" +
    "&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
    "&state=" + Uri.EscapeDataString(state);
Response.Redirect(authorizationEndpoint);

其中默认"是我创建的范围.

在回调中，我按如下方式调用令牌端点:

where "Default" is a scope I created.

In my callback, I call the token endpoint as follows:

IReadableStringCollection query = Request.Query;
string code = getValueFromQueryString("code", query);
var tokenRequestParameters = new List>()
    {
        new KeyValuePair("client_id", Options.ClientId),
        new KeyValuePair("redirect_uri", GenerateRedirectUri()),
        new KeyValuePair("client_secret", Options.ClientSecret),
        new KeyValuePair("code", code),
        new KeyValuePair("grant_type", "authorization_code"),
    };
var requestContent = new FormUrlEncodedContent(tokenRequestParameters);
HttpResponseMessage response = await _httpClient.PostAsync(TokenEndpoint, requestContent, Request.CallCancelled);
response.EnsureSuccessStatusCode();
string oauthTokenResponse = await response.Content.ReadAsStringAsync();

当我调用令牌端点时，我在Identity Server上的登录将显示以下内容(在验证授权码之后):

When I make the call to the token endpoint, my logging on Identity Server displays the following (after the validation of the authorization code):

    iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.TokenRequestValidator]: 7/13/2015 1:44:07 PM +00:00 -- Token request validation success
     {
      "ClientId": "SomeId",
      "ClientName": "Client with Authentication Code Flow",
      "GrantType": "authorization_code",
      "AuthorizationCode": "f8f795e649044067ebd96a341c5af8c3"
    }
    iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.TokenResponseGenerator]: 7/13/2015 1:44:07 PM +00:00 -- Creating token response
    iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.ResponseHandling.TokenResponseGenerator]: 7/13/2015 1:44:07 PM +00:00 -- Processing authorization code request
    Debug: [Thinktecture.IdentityServer.Core.Services.Default.DefaultTokenService]: 7/13/2015 1:44:07 PM +00:00 -- Creating access token
    Debug: [Thinktecture.IdentityServer.Core.Services.Default.DefaultTokenService]: 7/13/2015 1:44:07 PM +00:00 -- Creating reference access token
    iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.TokenEndpointController]: 7/13/2015 1:44:07 PM +00:00 -- End token request
    iisexpress.exe Information: 0 : [Thinktecture.IdentityServer.Core.Results.TokenResult]: 7/13/2015 1:44:07 PM +00:00 -- Returning token response.

我不确定还有什么其他意义，所以我将根据需要提供更多信息.

I'm not sure what else would be pertinent, so I'll provide more information as needed.

推荐答案

您必须在请求中明确要求"offline_access".用空格分隔您要请求的其他范围. (在下面的示例中，我将"Default"替换为"MyApi"，这很清楚我们正在谈论的是您的应用定义的范围.)

You do have to explicitly ask for 'offline_access' in your request. Separate the other scopes you are requesting with a space. (In my examples below I am replacing 'Default' with 'MyApi' to be clear that we are talking about a scope defined by your app.)

&scope=MyApi offline_access 

但是，您还必须授予该客户获取刷新令牌的权利，这不仅仅是根据您选择的流程发生的:

However, you must also grant that client the right to get refresh tokens, it doesn't just happen based on the flow you pick:

var client = new Client()
{
    ... //All the stuff you were doing before

    ScopeRestrictions = new List<string>
    { 
        "MyApi",
        StandardScopes.OfflineAccess.Name, //"offline_access" -for refresh tokens
        //Other commonly requested scopes:
        //StandardScopes.OpenId.Name, //"openid"
        //StandardScopes.Email.Name,  //"email"

    },
}

您可能还需要向范围存储"中添加"offline_access".范围存储是Identity Server知道的范围的列表.您的问题没有提到如何在项目中设置范围存储，因此您可能已经拥有了.但是，如果上述方法不能立即为您解决，您可能想在正在使用的示例中四处寻找这样的代码，然后添加OfflineAccess.

You may need to add 'offline_access' to your scope store as well. The scope store is the list of scopes that Identity Server knows about. Your question doesn't mention how your scope store is set up in your project, so you may already have it. But if the above doesn't immediately work for you, you may want to look around for code like this in the example you're working from and add OfflineAccess.

var scopeStore = new InMemoryScopeStore(new Scope[]{
    StandardScopes.OpenId,
    StandardScopes.Profile,
    StandardScopes.Email,
    StandardScopes.OfflineAccess,  //<--- ensure this is here to allow refresh tokens
    new Scope{
        Enabled = true,
        Name = "MyApi"
    },
}

这篇关于Identity Server未返回刷新令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！