ASOS-当具有单独的授权服务器和资源服务器时，令牌验证不起作用 [英] ASOS - Token validation is not working when having separate authorization server and the resource server

问题描述

我试图通过此

I'm trying to impement the OpenID Connect server (resource owner password credentials grant) with ASOS by this post. Everything works fine when I have both Authorization server and resource server in one app. But when I split them on two apps (but on one machine) resource server fails to validate token and returns The access token is not valid.

我下载了 AspNet.Security.OAuth.Validation 的源代码以调查此问题，并返回 null

I downloaded the source code of AspNet.Security.OAuth.Validation to investigate the issue and it returns null here

以下是来自授权服务器的一些日志:

Here are some logs from Authorization Server:

    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
          Request starting HTTP/1.1 POST http://localhost:5000/connect/token application/x-www-form-urlencoded; charset=UTF-8 77
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token request was successfully extracted from the HTTP request: {
            "grant_type": "password",
            "username": "UserLogin",
            "password": "[removed for security reasons]",
            "scope": "offline_access"
          }.
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token request was successfully validated.
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A sign-in operation was triggered: sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]].
    dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
          Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
          Found key {********-****-****-****-64bb57db1c3b}.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
          Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
    dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
          Decrypting secret element using Windows DPAPI.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
          Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
          Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
          Using key {********-****-****-****-64bb57db1c3b} as the default key.
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
          Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A new access token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtG4usEbfF-mLGaJcGGFEPQJLb36rfHqCTJ3Clu_SCBRHlaZ_B7s3pxNfUqS9fPfjtjjEH1KKmkiV6gvakRYf0Iof32BVddUUPgd7sEDrB0fET91pIDJT9WwsPx653viw5tFyvrztsSD5CYAOQZjm1werRcVPuvwRhXUQb_9Vbba52tqj8y7WbOjk78Hl17knbwSz4C70vwlRU5pL_Bp41R4vEEKwtm_VMQ_u1kSBKM5KjOh6OKdbDJ9jOhyh4RpNbvGN25ZskzByi8ndKRW3dmajWYyf-0cj6-4MEE5Hocd47te8C-haYIxEUb7tcQ-JTItknIiE1sk6W7zHlhLg3nprE2Ct4mvKi11G7Kvd1W4u-UmEvL1NesjVFNKpNJVdEaK2I8mcNzJLU69ZnM4poRrLqEqD__cHa8nCFgPtE9L0Jyo6IyFwc7NZ2sXz7y7lPfJ9Q3Pu1W_t0lOGBte5uKHfJZpiOYaqKrAwdJSpULLK52iKoCNhRYxOSdq__DNJs ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 30 Jun 2017 10:13:29 GMT], [.token_id, e27cbb46-d1ea-4576-8803-dddc001b3fc8], [.audiences, ["resource_server"]].
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
          Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'RefreshTokenFormat', 'ASOS').
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A new refresh token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtcKlYz_IbJiNmiW_tfu19E7p5BIO9xE0b2qu8mYWw-zD7wCWB1F5Fx548L4FARrsJwlJls1AkK2GrqXjV0krH6me_btsSAxM9trrFCUL2ZrXkm2sStZ6DUcbf_cSNFh-YxXft-gbLGV11THAINTb8K9-v_fkeXq7aN8Qgu7zJfhON1ehflLwZ-DXZwW_S9assqx8f7oe-n5gTzOO6PjEyO5g0YMJ1SY7X-sMO1MKjn03vZxPB0ecT0l8NXB89vGhW7kZnoEaL1NwmSTiEOYMatwrkURPBgb2YLnpiu7sYAD04HxsicoLaQTDbc8ZJyWUJ7guLl6Mp2HLhZG_wLQM9REC_QeZX8eDn8aqSOiGKZeLF4G7A5y369VIZ0RPASdTpEsAHSE8ws0RB18jap-75bM_aAi3w3-PlfnY7ySnDYm3xkF1ImyBcph2XF6R8-imdAXhQG-tTAYd2FKw4msaWCPcnX5CxYlo-alVYpd878haDvo43fCvbd2_Dc2O1wI98 ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 14 Jul 2017 09:13:29 GMT], [.token_id, c0cf40ad-cd47-4c82-9e37-6943cda95ffc].
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token response was successfully returned: {
            "resource": "resource_server",
            "scope": "email profile offline_access",
            "token_type": "Bearer",
            "access_token": "[removed for security reasons]",
            "expires_in": 3600,
            "refresh_token": "[removed for security reasons]"
          }.

以下是资源服务器中的一些日志:

Here are some logs from Resource Server:

    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
          Request starting HTTP/1.1 GET http://localhost:5001/api/values
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[5]
          Performing unprotect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.WebApi', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
    dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
          Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
          Found key {********-****-****-****-64bb57db1c3b}.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
          Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
    dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
          Decrypting secret element using Windows DPAPI.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
          Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
          Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
          Using key {********-****-****-****-64bb57db1c3b} as the default key.
    info: AspNet.Security.OAuth.Validation.OAuthValidationMiddleware[7]
          Bearer was not authenticated. Failure message: Authentication failed because the access token was invalid.

1)我的资源服务器出了什么问题?

1) What is wrong with my resource server?

2)如何在不同的机器上配置资源服务器(尤其是令牌签名/检查和加密/解密)?

2) How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?

推荐答案

如何在其他计算机上配置资源服务器(尤其是令牌签名/检查和加密/解密)?

How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?

您需要确保授权服务器和资源服务器正确同步并共享密钥环(包含由ASP.NET Core Data Protection派生的主密钥来创建加密和验证密钥).该过程在此处进行了描述: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview .

You need to make sure the key ring (containing the master keys that are derived by ASP.NET Core Data Protection to create encryption and validation keys) is correctly synchronized and shared by both your authorization server and your resource server(s). The procedure is described here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview.

下面是一个使用共享文件夹如何完成此操作的示例:

Here's an example of how it could be done using a shared folder:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
}

您还需要将两个应用程序配置为使用相同的应用程序区分符":

You'll also need to configure the two applications to use the same "application discriminator":

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
        .SetApplicationName("Your application name");
}

这篇关于ASOS-当具有单独的授权服务器和资源服务器时，令牌验证不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！