版本4.0.0的文档中的示例中的Identity Server无效范围 [英] Identity Server invalid scope in example from the documentation with version 4.0.0

问题描述

我正在使用IdentityServer4，请按照以下文档进行操作 https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials. html

I'm using IdentityServer4, following the documentation at https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html

但是在使用客户端凭据请求令牌时，使用IdentityModel的客户端出现了invalid_scope错误.

But I am getting an invalid_scope error in the client that uses IdentityModel when requesting a token with client credentials.

我可能错过了一些步骤，但是我已经对其进行了数次审核.

It's possible I missed some step, but I've reviewed it several times.

奇怪的是，身份服务器端点显示以下日志:

The strange thing is that the identity server endpoint shows the following logs:

Invalid scopes requested, {"ClientId": "client", "ClientName": null, "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "api1", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}

Scopes是null，后来在scope上具有api1值，这并不奇怪吗?

Isn't strange that Scopes is null and later on scope has the api1 value?

我正在使用内存中的值.

I am using in memory values.

public static class Config
{
    public static IEnumerable<IdentityResource> Ids =>
        new IdentityResource[]
        { 
            new IdentityResources.OpenId()
        };

    public static IEnumerable<ApiResource> Apis =>
        new List<ApiResource>
        {
            new ApiResource("api1", "My Api")
        };
    
    public static IEnumerable<Client> Clients =>
        new List<Client>
        {
            new Client
            {
                ClientId = "client",
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = { "api1" }
            }
        };
    
}

和

public void ConfigureServices(IServiceCollection services)
{
    // uncomment, if you want to add an MVC-based UI
    //services.AddControllersWithViews();

    var builder =
        services
            .AddIdentityServer()
            .AddInMemoryApiResources(Config.Apis)
            .AddInMemoryClients(Config.Clients)
            .AddInMemoryIdentityResources(Config.Ids);

    // not recommended for production - you need to store your key material somewhere secure
    builder.AddDeveloperSigningCredential();
}

public void Configure(IApplicationBuilder app)
{
    if (Environment.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    // uncomment if you want to add MVC
    //app.UseStaticFiles();
    //app.UseRouting();

    app.UseIdentityServer();

    // uncomment, if you want to add MVC
    //app.UseAuthorization();
    //app.UseEndpoints(endpoints =>
    //{
    //    endpoints.MapDefaultControllerRoute();
    //});
}

我可以看到众所周知的配置，尽管它没有提到api1作为受支持的作用域.

I can see the well known configuration, although it does not mention api1 as supported scopes.

这是客户

var client = new HttpClient();
var discovery = 
    await client.GetDiscoveryDocumentAsync("https://localhost:5001");
if (discovery.IsError)
{
    await Console.Out.WriteLineAsync("Discovery error");
    return;
}

// request token
var clientCredentialsTokenRequest =
    new ClientCredentialsTokenRequest
    {
        Address = discovery.TokenEndpoint,
        ClientId = "client",
        ClientSecret = "secret",
        Scope = "api1"
    };

var tokenResponse = 
    await client.RequestClientCredentialsTokenAsync(clientCredentialsTokenRequest);

我还缺少其他一些东西来进行最基本的样本工作吗?

Am I missing any additional thing to have the most basic sample work?

更新1:

好的，我已经将Identity Server降级到3.1.3，它可以按原样工作. 对于Identity Server 4.0.0版本，必须进行某些更改.将在那里进行调查.

Ok, I have downgraded Identity Server to 3.1.3 and it works as it is. For the version Identity Server 4.0.0 something must have changed. Will investigate there.

推荐答案

找到了问题指出了我正确的方向.通过用ApiScopes替换ApiResources来解决此问题:

Found an issue that pointed me in the right direction. Fixed it by replacing ApiResources with ApiScopes:

public static IEnumerable<ApiScope> Apis =>
    new List<ApiScope>
    {
        new ApiScope("api1", "My Api")
    };

和

var builder =
    services
        .AddIdentityServer()
        .AddInMemoryApiScopes(Config.Apis)
        //.AddInMemoryApiResources(Config.Apis) //OLD?
        .AddInMemoryClients(Config.Clients)
        .AddInMemoryIdentityResources(Config.Ids);

我认为文档尚未更新.

尝试访问受保护的Api时，我仍然会受到未授权的攻击，但这是另外一回事.

I'm still getting an unauthorized when trying to access the protected Api, but that is something else.

这篇关于版本4.0.0的文档中的示例中的Identity Server无效范围的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！