IdentityServer4 PKCE错误:“转换后的代码验证程序与代码质询不匹配". [英] IdentityServer4 PKCE error: "Transformed code verifier does not match code challenge"
问题描述
我无法获得IdentityServer4 PKCE授权才能使用邮递员工作.
I cannot get IdentityServer4 PKCE authorization to work using Postman.
使用在线工具创建必要的部分:
Using online tools I create the necessary parts:
选择一个随机字符串:
1234567890
1234567890
获取其SHA-256哈希值:
Get its SHA-256 hash:
c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
Base64对哈希进行编码以获得代码挑战:
Base64 encode the hash to get the code challenge:
Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng ==
Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng==
在浏览器中,我导航到以下URL,填写凭据,然后从分散的重定向URL中检索代码.
In the browser I navigate to the following URL, fill in my credentials and retrieve the code from the fragmented redirect URL.
GET https://localhost:5000/connect/authorize
?client_id=pkceclient
&scope=openid
&response_type=code
&redirect_uri=https://jwt.ms
&state=abc
&nonce=xyz
&code_challenge=Yzc3NWU3Yjc1N2VkZTYzMGNkMGFhMTExM2JkMTAyNjYxYWIzODgyOWNhNTJhNjQyMmFiNzgyODYyZjI2ODY0Ng==
&code_challenge_method=S256
在兑换令牌代码时,我通过了code_verifier(SHA-256哈希),但是我的IdentityServer记录以下错误:
When redeeming the code for a token I pass the code_verifier (SHA-256 hash) but my IdentityServer logs the following error:
转换后的代码验证程序与代码挑战不匹配".
"Transformed code verifier does not match code challenge".
POST https://localhost:5000/connect/token
client_id=pkceclient
grant_type=authorization_code
code:-CesrmjPYjdLdDd5AviOZpR6GdjjkZia_ZapoJdGUZI
redirect_uri=https://jwt.ms
code_verifier=c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
在他的博客文章中,作者使用以下代码生成零件.
In his blog post, the author uses the following code to generate the parts.
var verifier = CryptoRandom.CreateRandomKeyString(64);
var challenge = verifier.ToCodeChallenge();
但是我无法在存储库中找到ToCodeChallenge
方法的代码.
but I cannot find the code in the repositories for the ToCodeChallenge
method.
为什么我手动生成的挑战与验证过程中使用的挑战不匹配,我丢失了什么?
Why doesn't my manually generated challenge match the one used in the verification process, what am I missing?
推荐答案
在将这个问题放在一起时,我遇到了规范 PKCE文件,并找到以下行:
While putting this question together I came across the specification document for PKCE and found the following line:
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
事实证明,我使用的在线工具未执行ASCII部分.
It turns out the ASCII part is not carried out by the online tools that I used.
执行代码中的步骤,得到以下内容,当替换之前的值时,将在过程的第二步中通过验证.
Implementing the steps in code I get the following which, when substituting the values from before, passes the verification in the second step of the process.
var codeVerifier = "c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646";
var codeVerifierBytes = Encoding.ASCII.GetBytes(codeVerifier);
var hashedBytes = codeVerifierBytes.Sha256();
var transformedCodeVerifier = Base64Url.Encode(hashedBytes);
code_challenge:51FaJvQFsiNdiFWIq2EMWUKeAqD47dqU_cHzJpfHl-Q
code_challenge: 51FaJvQFsiNdiFWIq2EMWUKeAqD47dqU_cHzJpfHl-Q
code_verifier:c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
code_verifier: c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646
这篇关于IdentityServer4 PKCE错误:“转换后的代码验证程序与代码质询不匹配".的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!