如何在身份服务器 4 中正确使用自省端点? [英] How to correctly use the introspection endpoint with identity server 4?
问题描述
我正在使用 Identity Server 4 并且我正在尝试使用自省端点,但仅通过文档我没有得到它.
I'm using Identity Server 4 and I'm trying to use the introspection endpoint, but just by the docs I'm not getting it.
文档只是给出了这个例子
The docs just gives this example
POST /connect/introspect
Authorization: Basic xxxyyy
token=<token>
现在,为什么有这个基本身份验证,xxxyyy 应该是什么?我的意思是,我的应用程序中没有设置基本身份验证.我刚刚在 ConfigureServices 中使用 ASP.NET Core 设置了 Identity Server 4:
Now, why there is this basic authentication and what should be xxxyyy? I mean, there's no basic auth set in my app. I've just setup Identity Server 4 using ASP.NET Core as follows in the ConfigureServices:
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryApiResources(ApiResourceProvider.GetAllResources())
.AddAspNetIdentity<Usuario>();
并在Configure
app.UseIdentity();
app.UseIdentityServer();
现在我已经尝试了一个 POST 到/connect/introspect 的主体只是 token=,但它返回了 404.
Now I've tried just a POST to /connect/introspect with the body just token=<token>, but it returned a 404.
我相信我真的没有明白.
I believe I really didn't get it.
我们如何在 ASP.NET Core 中使用带有 Identity Server 4 的内省端点?
How do we use the introspection endpoint with Identity Server 4 in ASP.NET Core?
推荐答案
IdSvr4 的实现很棒,但是文档还有很多不足之处 - 我花了一个小时在互联网上搜索才能够想出一个有效的解决方案.如果您不熟悉某个概念,被告知阅读规范"并不总是有帮助 - 这在他们的论坛上经常发生.
The implementation of IdSvr4 is fantastic, but the docs leave a lot to be desired - I spent a good hour searching on the internet to be able to come up with a working solution. Being told to 'read the spec' just isn't always helpful if you are new to a concept - which is something that happens alot on their forums.
所以 - 您必须传递给 POST/connect/introspect 的是一个范围秘密.
So - what you have to pass to the POST /connect/introspect is a scope secret.
您可以通过更改 config.cs 类来配置快速入门.如果您已自定义或未使用快速入门,则需要更新您使用的任何数据存储区 - 但概念应该(希望)清晰.
You can configure the quickstarts by changing the config.cs class. You will need to update whatever datastore you use if you have customised it, or are not using the quickstart - but the concept should (hopefully) be clear.
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("MyResource", "My_Resource_DisplayName")
{
ApiSecrets = new List<Secret>
{
new Secret("hello".Sha256())
},
Scopes=
{
new Scope("MY_CUSTOM_SCOPE")
}
}
};
}
现在...
- 确保您的客户具有范围
MY_CUSTOM_SCOPE - 确保您在获取不记名令牌时已请求范围
MY_CUSTOM_SCOPE.
现在,像这样制作一个 api 资源名称和秘密的 Base64 编码字符串:
Now, make a Base64 encoded string of the api resource name and secret like this:
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));
其中用户名是 MyResource,密码是纯文本 hello(当然,使用您自己的值!) - 应该以如下所示的字符串结尾:TXlSZXNvdXJjZTpoZWxsbw==
Where username is MyResource and password is plaintext hello (obv. use your own values!) - should end up with a string which looks like this: TXlSZXNvdXJjZTpoZWxsbw==
现在,您可以发布到 IDSvr4...
Now, you can post to IDSvr4...
POST /connect/introspect
Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw==
Accept: application/json
Content-Type: application/x-www-form-urlencoded
token=<YOUR_TOKEN>
因此,只要您的不记名令牌具有范围 MY_CUSTOM_SCOPE(或您最终调用它的任何内容) - 您现在应该能够使用 IdSvr 的自省端点来获取有关它的信息.
So, as long as your bearer token has the scope MY_CUSTOM_SCOPE (or whatever you ended up calling it) - you should now be able to use to introspection endpoint of IdSvr to get info about it.
这篇关于如何在身份服务器 4 中正确使用自省端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
