如何在access_token中添加"aud"声明 [英] How to add an 'aud' claim to access_token
问题描述
我是IdentityServer 4和OpenIdConnect的新手,试图让我的Asp.NET Core + Angular 9 SPA应用程序与JwtBearer令牌一起使用,问题是我无法正确设置access_token的'aud'声明,我m收到消息401:
bearer error =" invalid_token",error_description =""受众空"无效
观众空"无效
在WWW-Authenticate标头中找到.
但是,如果不是,我将不停地使用 id_token (我想应该只使用一次将用户登录到应用程序),因为我可以访问受保护的资源,因为它有这个音频"声明.
我认为这不是适当的行为(或者是吗?)
有什么办法,我如何明确设置access_token的"aud"声明?我已经看过很多地方,stackOverflow,OpenId.net文档和其他地方,但仍然找不到答案.有人可以帮我吗?
这是我的API&中的AddAuthentication方法app.UseAuthentication/app.UseAuthorization:
但是,如果您查看官方文档的配置部分,则说需要禁用aud声明:
https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration
<代码> {公共无效ConfigureServices(IServiceCollection服务){services.AddControllers();services.AddAuthentication(承载者").AddJwtBearer("Bearer",options =>{options.Authority ="https://localhost:5001";options.TokenValidationParameters =新的TokenValidationParameters{ValidateAudience =否};});}公共无效配置(IApplicationBuilder应用){app.UseRouting();app.UseAuthentication();app.UseAuthorization();app.UseEndpoints(endpoints =>{endpoints.MapControllers();});}} I'm new to IdentityServer 4 and OpenIdConnect, trying to get my Asp.NET Core + Angular 9 SPA app to work with JwtBearer tokens, and the problem is what I cannot set my access_token's 'aud' claim properly, I'm getting 401 with message:
Bearer error="invalid_token", error_description="The audience 'empty' is invalid
The audience 'empty' is invalid
found in WWW-Authenticate header.
If however, instead of this I will use an id_token constantly (which should be used only once to log user into the app as I suppose), I will get access to my protected resources, because it has this 'aud' claim.
I suppose it is not a proper behaviour (or is it?)
Is there any way, how I may explicitly set the access_token's 'aud' claim? I've looked already in many places, stackOverflow, OpenId.net docs and the others, and still I cannot find an answer. May some1 help me with that?
Here's my AddAuthentication method in my API & app.UseAuthentication/app.UseAuthorization: https://pastebin.com/YdE3WQ7b
and my client config: https://pastebin.com/AdAjntjc
PrintScreen of jwt.io:
There was a major change in IdentityServer4 version v4 they are no longer setting the aud claim by default.
Probably you followed an old article, like this for example:
https://medium.com/@marcodesanctis2/securing-blazor-webassembly-with-identity-server-4-ee44aa1687ef
Which is using IS4 v3
But if you check the configuration section of the oficcial documentation it says you need to disable the aud Claim:
https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
}
public void Configure(IApplicationBuilder app)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
这篇关于如何在access_token中添加"aud"声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
