如何在身份服务器4上正确使用自省端点? [英] How to correctly use the introspection endpoint with identity server 4?
问题描述
我正在使用Identity Server 4,并且尝试使用自省端点,但是仅凭文档,我没有得到它.
I'm using Identity Server 4 and I'm trying to use the introspection endpoint, but just by the docs I'm not getting it.
文档只是给出了这个例子
The docs just gives this example
POST /connect/introspect
Authorization: Basic xxxyyy
token=<token>
现在,为什么要进行这种基本身份验证?xxxyyy应该是什么?我的意思是,我的应用程序中没有设置基本身份验证.我已经在ConfigureServices
中使用ASP.NET Core设置了Identity Server 4,如下所示:
Now, why there is this basic authentication and what should be xxxyyy? I mean, there's no basic auth set in my app. I've just setup Identity Server 4 using ASP.NET Core as follows in the ConfigureServices
:
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryApiResources(ApiResourceProvider.GetAllResources())
.AddAspNetIdentity<Usuario>();
和Configure
app.UseIdentity();
app.UseIdentityServer();
现在我只用token=<token>
尝试通过POST到/connect/introspect,但是它返回了404.
Now I've tried just a POST to /connect/introspect with the body just token=<token>
, but it returned a 404.
我相信我真的不明白.
我们如何将自省端点与ASP.NET Core中的Identity Server 4一起使用?
How do we use the introspection endpoint with Identity Server 4 in ASP.NET Core?
推荐答案
IdSvr4的实现非常棒,但是文档还有很多不足之处-我花了很多时间在互联网上搜索,以便提出一个可行的解决方案.如果您不熟悉某个概念,那么被告知阅读规格"并不总是很有帮助-这在他们的论坛上经常发生.
The implementation of IdSvr4 is fantastic, but the docs leave a lot to be desired - I spent a good hour searching on the internet to be able to come up with a working solution. Being told to 'read the spec' just isn't always helpful if you are new to a concept - which is something that happens alot on their forums.
所以-您必须传递给POST /connect/introspect
的是一个范围秘诀.
So - what you have to pass to the POST /connect/introspect
is a scope secret.
您可以通过更改config.cs
类来配置快速入门.如果您已对其进行了自定义,或者没有使用快速入门,则需要更新所使用的任何数据存储-但(应该)这个概念应该是清楚的.
You can configure the quickstarts by changing the config.cs
class. You will need to update whatever datastore you use if you have customised it, or are not using the quickstart - but the concept should (hopefully) be clear.
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("MyResource", "My_Resource_DisplayName")
{
ApiSecrets = new List<Secret>
{
new Secret("hello".Sha256())
},
Scopes=
{
new Scope("MY_CUSTOM_SCOPE")
}
}
};
}
现在...
1.确保您的客户的范围为MY_CUSTOM_SCOPE
2.确保在获取不记名令牌时已请求范围MY_CUSTOM_SCOPE
.
Now...
1. Ensure that your client has the scope MY_CUSTOM_SCOPE
2. Ensure you have requested the scope MY_CUSTOM_SCOPE
when getting a bearer token.
现在,像这样制作一个API资源名称和密码的Base64编码的字符串:
Now, make a Base64 encoded string of the api resource name and secret like this:
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));
用户名是MyResource
,密码是纯文本hello
(请使用您自己的值!)-应该以类似于以下的字符串结尾:TXlSZXNvdXJjZTpoZWxsbw==
Where username is MyResource
and password is plaintext hello
(obv. use your own values!) - should end up with a string which looks like this: TXlSZXNvdXJjZTpoZWxsbw==
现在,您可以发布到IDSvr4 ...
Now, you can post to IDSvr4...
POST /connect/introspect
Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw==
Accept: application/json
Content-Type: application/x-www-form-urlencoded
token=<YOUR_TOKEN>
因此,只要您的承载令牌的作用域为MY_CUSTOM_SCOPE
(或最终调用它的对象),您现在就可以使用IdSvr的自省端点获取有关它的信息.
So, as long as your bearer token has the scope MY_CUSTOM_SCOPE
(or whatever you ended up calling it) - you should now be able to use to introspection endpoint of IdSvr to get info about it.
希望有帮助!
这篇关于如何在身份服务器4上正确使用自省端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!