API Identity Server 4 授权不断返回 401 Unauthorized
API Authorization with Identity Server 4 keeps returning 401 Unauthorized
我正在使用 Identity Server 4 .Net Core 3,如果我在启动时使用标准配置,我的 API 端点不会验证访问令牌,我一直收到 401 Unauthorized,但是当我在中设置身份验证方案时具有授权 属性 的控制器,我可以使用相同的令牌成功访问我的端点...
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[ApiController]
public class MyWebAPiControllerController : ControllerBase
{
.......
这是我的身份服务器配置:
//API resource
public IEnumerable<ApiResource> Apis()
{
var resources = new List<ApiResource>();
resources.Add(new ApiResource("identity", "My API", new[] { JwtClaimTypes.Subject, JwtClaimTypes.Email, JwtClaimTypes.Role, JwtClaimTypes.Profile }));
return resources;
}
我的客户端配置:
public IEnumerable<Client> Clients()
{
var Clients = new List<Client>();
Clients.Add(new Client
{
ClientId = "client",
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
// scopes that client has access to
AllowedScopes = { "identity" }
});
Clients.Add(new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
//RequirePkce = true,
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
RequireConsent = false,
RedirectUris = _securityConfig.RedirectURIs,
FrontChannelLogoutUri = _securityConfig.SignoutUris,
PostLogoutRedirectUris = _securityConfig.PostLogoutUris,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.OfflineAccess,
"identity"
}
});
return Clients;
}
我的API配置
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.Audience = "identity";
});
最后是我的网络应用程序、OIDC 配置以及我如何获取访问令牌:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
}).AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "identity_cookie";
})
.AddOpenIdConnect("oidc", options =>
{
options.Events = new OpenIdConnectEvents
{
OnUserInformationReceived = async ctx =>
{
//Get Token here and assign to Cookie for use in Jquery
ctx.HttpContext.Response.Cookies.Append("bearer_config", ctx.ProtocolMessage.AccessToken);
}
};
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = _securityConfig.Secret;
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("identity");
options.Scope.Add("offline_access");
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce", "iat", "c_hash");
options.GetClaimsFromUserInfoEndpoint = true;
//options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
关于为什么我总是收到 401 未经授权的任何想法?
根据所描述的行为,我认为这可能与中间件配置有关,更具体地说是中间件的顺序。但我不能确定,因为 Startup.Configure 在问题中不可用。
幸运的是,Jacques 可以确认问题确实出在订单上。如评论中所述:
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();
这里的问题是用户先授权(UseAuthorization),再认证(UseAuthentication)。因此,用户永远无法获得授权,因为此时它是未知的(匿名的)。但稍后,当属性被验证时,用户是已知的。所以这就解释了为什么它有效。
为了解决这个问题,语句必须转换。先对用户进行身份验证(识别用户,用户是谁?)然后对用户进行授权:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
顺序在documentation中描述。
我正在使用 Identity Server 4 .Net Core 3,如果我在启动时使用标准配置,我的 API 端点不会验证访问令牌,我一直收到 401 Unauthorized,但是当我在中设置身份验证方案时具有授权 属性 的控制器,我可以使用相同的令牌成功访问我的端点...
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[ApiController]
public class MyWebAPiControllerController : ControllerBase
{
.......
这是我的身份服务器配置:
//API resource
public IEnumerable<ApiResource> Apis()
{
var resources = new List<ApiResource>();
resources.Add(new ApiResource("identity", "My API", new[] { JwtClaimTypes.Subject, JwtClaimTypes.Email, JwtClaimTypes.Role, JwtClaimTypes.Profile }));
return resources;
}
我的客户端配置:
public IEnumerable<Client> Clients()
{
var Clients = new List<Client>();
Clients.Add(new Client
{
ClientId = "client",
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
// scopes that client has access to
AllowedScopes = { "identity" }
});
Clients.Add(new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
//RequirePkce = true,
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
RequireConsent = false,
RedirectUris = _securityConfig.RedirectURIs,
FrontChannelLogoutUri = _securityConfig.SignoutUris,
PostLogoutRedirectUris = _securityConfig.PostLogoutUris,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.OfflineAccess,
"identity"
}
});
return Clients;
}
我的API配置
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.Audience = "identity";
});
最后是我的网络应用程序、OIDC 配置以及我如何获取访问令牌:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
}).AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "identity_cookie";
})
.AddOpenIdConnect("oidc", options =>
{
options.Events = new OpenIdConnectEvents
{
OnUserInformationReceived = async ctx =>
{
//Get Token here and assign to Cookie for use in Jquery
ctx.HttpContext.Response.Cookies.Append("bearer_config", ctx.ProtocolMessage.AccessToken);
}
};
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = _securityConfig.Secret;
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("identity");
options.Scope.Add("offline_access");
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce", "iat", "c_hash");
options.GetClaimsFromUserInfoEndpoint = true;
//options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
关于为什么我总是收到 401 未经授权的任何想法?
根据所描述的行为,我认为这可能与中间件配置有关,更具体地说是中间件的顺序。但我不能确定,因为 Startup.Configure 在问题中不可用。
幸运的是,Jacques 可以确认问题确实出在订单上。如评论中所述:
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();
这里的问题是用户先授权(UseAuthorization),再认证(UseAuthentication)。因此,用户永远无法获得授权,因为此时它是未知的(匿名的)。但稍后,当属性被验证时,用户是已知的。所以这就解释了为什么它有效。
为了解决这个问题,语句必须转换。先对用户进行身份验证(识别用户,用户是谁?)然后对用户进行授权:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
顺序在documentation中描述。