版本4.0.0的文档中的示例中的Identity Server无效范围 [英] Identity Server invalid scope in example from the documentation with version 4.0.0
问题描述
我正在使用IdentityServer4,请按照以下文档进行操作 https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials. html
I'm using IdentityServer4, following the documentation at https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html
但是在使用客户端凭据请求令牌时,使用IdentityModel
的客户端出现了invalid_scope
错误.
But I am getting an invalid_scope
error in the client that uses IdentityModel
when requesting a token with client credentials.
我可能错过了一些步骤,但是我已经对其进行了数次审核.
It's possible I missed some step, but I've reviewed it several times.
奇怪的是,身份服务器端点显示以下日志:
The strange thing is that the identity server endpoint shows the following logs:
Invalid scopes requested, {"ClientId": "client", "ClientName": null, "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "api1", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}
Scopes
是null
,后来在scope
上具有api1
值,这并不奇怪吗?
Isn't strange that Scopes
is null
and later on scope
has the api1
value?
我正在使用内存中的值.
I am using in memory values.
public static class Config
{
public static IEnumerable<IdentityResource> Ids =>
new IdentityResource[]
{
new IdentityResources.OpenId()
};
public static IEnumerable<ApiResource> Apis =>
new List<ApiResource>
{
new ApiResource("api1", "My Api")
};
public static IEnumerable<Client> Clients =>
new List<Client>
{
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "api1" }
}
};
}
和
public void ConfigureServices(IServiceCollection services)
{
// uncomment, if you want to add an MVC-based UI
//services.AddControllersWithViews();
var builder =
services
.AddIdentityServer()
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
.AddInMemoryIdentityResources(Config.Ids);
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// uncomment if you want to add MVC
//app.UseStaticFiles();
//app.UseRouting();
app.UseIdentityServer();
// uncomment, if you want to add MVC
//app.UseAuthorization();
//app.UseEndpoints(endpoints =>
//{
// endpoints.MapDefaultControllerRoute();
//});
}
我可以看到众所周知的配置,尽管它没有提到api1作为受支持的作用域.
I can see the well known configuration, although it does not mention api1 as supported scopes.
这是客户
var client = new HttpClient();
var discovery =
await client.GetDiscoveryDocumentAsync("https://localhost:5001");
if (discovery.IsError)
{
await Console.Out.WriteLineAsync("Discovery error");
return;
}
// request token
var clientCredentialsTokenRequest =
new ClientCredentialsTokenRequest
{
Address = discovery.TokenEndpoint,
ClientId = "client",
ClientSecret = "secret",
Scope = "api1"
};
var tokenResponse =
await client.RequestClientCredentialsTokenAsync(clientCredentialsTokenRequest);
我还缺少其他一些东西来进行最基本的样本工作吗?
Am I missing any additional thing to have the most basic sample work?
更新1:
好的,我已经将Identity Server降级到3.1.3,它可以按原样工作. 对于Identity Server 4.0.0版本,必须进行某些更改.将在那里进行调查.
Ok, I have downgraded Identity Server to 3.1.3 and it works as it is. For the version Identity Server 4.0.0 something must have changed. Will investigate there.
推荐答案
找到了问题指出了我正确的方向.通过用ApiScopes替换ApiResources来解决此问题:
Found an issue that pointed me in the right direction. Fixed it by replacing ApiResources with ApiScopes:
public static IEnumerable<ApiScope> Apis =>
new List<ApiScope>
{
new ApiScope("api1", "My Api")
};
和
var builder =
services
.AddIdentityServer()
.AddInMemoryApiScopes(Config.Apis)
//.AddInMemoryApiResources(Config.Apis) //OLD?
.AddInMemoryClients(Config.Clients)
.AddInMemoryIdentityResources(Config.Ids);
我认为文档尚未更新.
尝试访问受保护的Api时,我仍然会受到未授权的攻击,但这是另外一回事.
I'm still getting an unauthorized when trying to access the protected Api, but that is something else.
这篇关于版本4.0.0的文档中的示例中的Identity Server无效范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!