用户已通过身份验证，但访问令牌在哪里? [英] User is authenticated but where is the access token?

问题描述

我有一个Web应用程序，它使用隐式客户端向Identity Server 4验证用户身份.我需要该用户的访问令牌，以便可以调用另一个API.

I have a web Application which authenticates a user to an Identity Server 4, using an implicit client. I need the access token for this user so that I can make a call to another API.

要清楚:

1. 我有一个身份服务器.使用身份服务器4创建.
2. 我有问题的Web应用程序是在Asp .net core mvc中创建的.
3. 在.net核心中创建的API.

Web应用程序根据身份服务器对用户进行身份验证.一旦对它们进行身份验证，我们将使用承载令牌来访问API.

The Web application authenticates the user against the identity server. Once they are authenticated we use bearer tokens to access the API.

 services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();

 services.AddAuthentication(options =>
            {
                options.DefaultScheme = "cookie";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("cookie")
            .AddOpenIdConnect("oidc", options =>
            {
                options.Authority = Configuration["ServiceSettings:IdentityServerEndpoint"];
                options.ClientId = "f91ece52-81cf-4b7b-a296-26356f50841f";
                options.SignInScheme = "cookie";
            });

用户身份验证正常，我可以访问下面的控制器.我需要该用户的访问令牌，以便可以向另一个API发出请求.

The user is authenticating fine and i am able to access the controller below. I need an access token for this user so that i can make a request to another API.

[Authorize]
public async Task<IActionResult> Index(int clientId, string error)
{
        ViewData["Title"] = "Secrets";

        if (User.Identity.IsAuthenticated)
        {

         // All of the below attempts result in either null or empty array
         var attempt1 = Request.Headers["Authorization"];
         var attempt2 = await HttpContext.GetTokenAsync("access_token");
         var attempt3 = _httpContextAccessor.HttpContext.Request.Headers["Authorization"];

         var attempt4 = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");

        }
        return View();
    }

以下内容确实包含一个名为cookie的标头.有没有办法摆脱访问令牌?

The following does contain a header called cookie. Is there a way of getting the access token out of that?

  var h = _httpContextAccessor.HttpContext.Request.Headers.ToList();

如何找到当前经过身份验证的用户的访问令牌?使用隐式登录.

How can i find an access token for the current authenticated user? Using Implicit login.

关于混合登录与隐式登录的说明:由于此处发布的问题，我无法使用混合登录身份验证限制较大的标头大小由于我无法找到解决该问题的方法，建议将其切换为隐式登录，而不是混合登录.隐性似乎并没有创造出混合动力所能做出的巨大烹饪.

Note on Hybrid vs implicit login: I cant use hybrid login due to the issue posted here Authentication limit extensive header size As i have not been able to find a solution to that problem a suggestion was to switch to an implicit login rather than hybrid. Implicit does not appear to create the giant cooking the hybrid did.

我一直遵循此步骤来创建隐式客户端入门与Identityserver 4

I have been following this to create the implicit client Getting started with Identityserver 4

推荐答案

默认情况下，OpenID Connect中间件

By default the OpenID Connect middleware only requests an identity token (a response_type of id_token).

您首先需要使用以下内容更新OpenIdConnectOptions:

You'll need to first update your OpenIdConnectOptions with the following:

options.ResponseType = "id_token token";

然后您可以使用以下方法将令牌保存到Cookie中:

You can then save the tokens to your cookie using:

options.SaveTokens = true;

最后，您可以使用以下命令访问令牌:

And then finally, you can access the token using:

await HttpContext.GetTokenAsync("access_token");

请注意，使用隐式流时，还需要在IdentityServer客户端配置中设置AllowAccessTokensViaBrowser标志.

Note that you will also need to set the AllowAccessTokensViaBrowser flag in your IdentityServer client configuration when using the implicit flow.

这篇关于用户已通过身份验证，但访问令牌在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！