IdentityServer4 PKCE错误:“转换后的代码验证程序与代码质询不匹配". [英] IdentityServer4 PKCE error: "Transformed code verifier does not match code challenge"

问题描述

我无法获得IdentityServer4 PKCE授权才能使用邮递员工作.

I cannot get IdentityServer4 PKCE authorization to work using Postman.

使用在线工具创建必要的部分:

Using online tools I create the necessary parts:

选择一个随机字符串:

1234567890

1234567890

获取其SHA-256哈希值:

Get its SHA-256 hash:

c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

Base64对哈希进行编码以获得代码挑战:

Base64 encode the hash to get the code challenge:

Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng ==

Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng==

在浏览器中，我导航到以下URL，填写凭据，然后从分散的重定向URL中检索代码.

In the browser I navigate to the following URL, fill in my credentials and retrieve the code from the fragmented redirect URL.

GET https://localhost:5000/connect/authorize
?client_id=pkceclient
&scope=openid
&response_type=code
&redirect_uri=https://jwt.ms
&state=abc
&nonce=xyz  
&code_challenge=Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng==
&code_challenge_method=S256

在兑换令牌代码时，我通过了code_verifier(SHA-256哈希)，但是我的IdentityServer记录以下错误:

When redeeming the code for a token I pass the code_verifier (SHA-256 hash) but my IdentityServer logs the following error:

转换后的代码验证程序与代码挑战不匹配".

"Transformed code verifier does not match code challenge".

POST https://localhost:5000/connect/token
client_id=pkceclient
grant_type=authorization_code
code:-CesrmjPYjdLdDd5AviOZpR6GdjjkZia_ZapoJdGUZI
redirect_uri=https://jwt.ms
code_verifier=c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

在他的博客文章中，作者使用以下代码生成零件.

In his blog post, the author uses the following code to generate the parts.

var verifier = CryptoRandom.CreateRandomKeyString(64);
var challenge = verifier.ToCodeChallenge();

但是我无法在存储库中找到ToCodeChallenge方法的代码.

but I cannot find the code in the repositories for the ToCodeChallenge method.

为什么我手动生成的挑战与验证过程中使用的挑战不匹配，我丢失了什么?

Why doesn't my manually generated challenge match the one used in the verification process, what am I missing?

推荐答案

在将这个问题放在一起时，我遇到了规范 PKCE文件，并找到以下行:

While putting this question together I came across the specification document for PKCE and found the following line:

code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

事实证明，我使用的在线工具未执行ASCII部分.

It turns out the ASCII part is not carried out by the online tools that I used.

执行代码中的步骤，得到以下内容，当替换之前的值时，将在过程的第二步中通过验证.

Implementing the steps in code I get the following which, when substituting the values from before, passes the verification in the second step of the process.

var codeVerifier = "c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646";
var codeVerifierBytes = Encoding.ASCII.GetBytes(codeVerifier);
var hashedBytes = codeVerifierBytes.Sha256();
var transformedCodeVerifier = Base64Url.Encode(hashedBytes);

code_challenge:51FaJvQFsiNdiFWIq2EMWUKeAqD47dqU_cHzJpfHl-Q

code_challenge: 51FaJvQFsiNdiFWIq2EMWUKeAqD47dqU_cHzJpfHl-Q

code_verifier:c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

code_verifier: c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

这篇关于IdentityServer4 PKCE错误:“转换后的代码验证程序与代码质询不匹配".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！