如何在身份服务器4上正确使用自省端点? [英] How to correctly use the introspection endpoint with identity server 4?

问题描述

我正在使用Identity Server 4，并且尝试使用自省端点，但是仅凭文档，我没有得到它.

I'm using Identity Server 4 and I'm trying to use the introspection endpoint, but just by the docs I'm not getting it.

文档只是给出了这个例子

The docs just gives this example

POST /connect/introspect
Authorization: Basic xxxyyy

token=<token>

现在，为什么要进行这种基本身份验证?xxxyyy应该是什么?我的意思是，我的应用程序中没有设置基本身份验证.我已经在ConfigureServices中使用ASP.NET Core设置了Identity Server 4，如下所示:

Now, why there is this basic authentication and what should be xxxyyy? I mean, there's no basic auth set in my app. I've just setup Identity Server 4 using ASP.NET Core as follows in the ConfigureServices:

services.AddIdentityServer()
            .AddTemporarySigningCredential()
            .AddInMemoryApiResources(ApiResourceProvider.GetAllResources())
            .AddAspNetIdentity<Usuario>();

和Configure

app.UseIdentity();
app.UseIdentityServer();

现在我只用token=<token>尝试通过POST到/connect/introspect，但是它返回了404.

Now I've tried just a POST to /connect/introspect with the body just token=<token>, but it returned a 404.

我相信我真的不明白.

我们如何将自省端点与ASP.NET Core中的Identity Server 4一起使用?

How do we use the introspection endpoint with Identity Server 4 in ASP.NET Core?

推荐答案

IdSvr4的实现非常棒，但是文档还有很多不足之处-我花了很多时间在互联网上搜索，以便提出一个可行的解决方案.如果您不熟悉某个概念，那么被告知阅读规格"并不总是很有帮助-这在他们的论坛上经常发生.

The implementation of IdSvr4 is fantastic, but the docs leave a lot to be desired - I spent a good hour searching on the internet to be able to come up with a working solution. Being told to 'read the spec' just isn't always helpful if you are new to a concept - which is something that happens alot on their forums.

所以-您必须传递给POST /connect/introspect的是一个范围秘诀.

So - what you have to pass to the POST /connect/introspect is a scope secret.

您可以通过更改config.cs类来配置快速入门.如果您已对其进行了自定义，或者没有使用快速入门，则需要更新所使用的任何数据存储-但(应该)这个概念应该是清楚的.

You can configure the quickstarts by changing the config.cs class. You will need to update whatever datastore you use if you have customised it, or are not using the quickstart - but the concept should (hopefully) be clear.

public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {
            new ApiResource("MyResource", "My_Resource_DisplayName")
            {
                ApiSecrets = new List<Secret>
                {
                    new Secret("hello".Sha256())
                },
                Scopes=
                {
                    new Scope("MY_CUSTOM_SCOPE")
                }
            }
        };
    }

现在...
1.确保您的客户的范围为MY_CUSTOM_SCOPE
2.确保在获取不记名令牌时已请求范围MY_CUSTOM_SCOPE.

Now...
1. Ensure that your client has the scope MY_CUSTOM_SCOPE
2. Ensure you have requested the scope MY_CUSTOM_SCOPE when getting a bearer token.

现在，像这样制作一个API资源名称和密码的Base64编码的字符串:

Now, make a Base64 encoded string of the api resource name and secret like this:

Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));

用户名是MyResource，密码是纯文本hello(请使用您自己的值！)-应该以类似于以下的字符串结尾:TXlSZXNvdXJjZTpoZWxsbw==

Where username is MyResource and password is plaintext hello (obv. use your own values!) - should end up with a string which looks like this: TXlSZXNvdXJjZTpoZWxsbw==

现在，您可以发布到IDSvr4 ...

Now, you can post to IDSvr4...

POST /connect/introspect
Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw==
Accept: application/json
Content-Type: application/x-www-form-urlencoded

token=<YOUR_TOKEN>

因此，只要您的承载令牌的作用域为MY_CUSTOM_SCOPE(或最终调用它的对象)，您现在就可以使用IdSvr的自省端点获取有关它的信息.

So, as long as your bearer token has the scope MY_CUSTOM_SCOPE (or whatever you ended up calling it) - you should now be able to use to introspection endpoint of IdSvr to get info about it.

希望有帮助！

这篇关于如何在身份服务器4上正确使用自省端点?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！