配置 ASP.Net 核心以使用 OIDC 针对 Thinktecture V2 进行身份验证
Configuring ASP.Net Core to authenticate using OIDC against Thinktecture V2
我正在尝试获取一个 ASP.Net 核心,以使用 OpenID Connect 对 Thinktecture V2 进行身份验证(我们目前需要 WS-Trust,因此无法升级)。
我的配置如下
app.UseCookieAuthentication(new CookieAuthenticationOptions());
X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadOnly);
var cert = certStore.Certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false);
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
RequireHttpsMetadata = false,
ClientId = _config["OpenID:ClientId"],
ClientSecret = _config["OpenID:ClientSecret"],
Authority = _config["OpenID:Authority"],
ResponseType = OpenIdConnectResponseType.Code,
PostLogoutRedirectUri = _config["OpenID:PostLogoutRedirectUri"],
SignInScheme = "Cookies",
CallbackPath = "/signin-oidc",
TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = new X509SecurityKey(cert[0]),
},
Configuration = new OpenIdConnectConfiguration
{
Issuer = "https://identityserver/IdentityServer/issue",
AuthorizationEndpoint = "https://identityserver/IdentityServer/issue/oidc/authorize",
TokenEndpoint = "https://identityserver/IdentityServer/issue/oidc/token",
UserInfoEndpoint = "https://identityserver/IdentityServer/issue/oidc/userinfo",
}
});
config.json
"OpenID": {
"ClientId": "Test",
"ClientSecret": "{6DD502AB-2AB1-4028-BD4A-85C91790EC7B}",
"Authority": "https://identityserver/IdentityServer/issue/oidc",
"PostLogoutRedirectUri": "https://localhost:44353/" }
当我尝试进行身份验证时,出现以下异常:
HttpRequestException:响应状态代码未指示成功:400(错误请求)。
来自thinktectureIdentityServer.svclog的踪迹是
如果有人能提供任何帮助,我们将不胜感激。
我已经通过处理 OnAuthorizationCodeReceivedEvent 并手动处理代码兑换解决了上述错误,我在其中添加了基本授权 header 来授权客户端。
new OpenIdConnectOptions
{
...
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = async context =>
{
context.HandleCodeRedemption();
var requestMessage = new HttpRequestMessage(HttpMethod.Post, context.Options.Configuration.TokenEndpoint);
requestMessage.Content = new FormUrlEncodedContent(context.TokenEndpointRequest.Parameters);
var authString = string.Format("{0}", Convert.ToBase64String(Encoding.ASCII.GetBytes(_config["OpenID:ClientId"] + ":" + _config["OpenID:ClientSecret"])));
requestMessage.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", authString);
var responseMessage = await context.Backchannel.SendAsync(requestMessage);
responseMessage.EnsureSuccessStatusCode();
var tokenResonse = await responseMessage.Content.ReadAsStringAsync();
var jsonTokenResponse = JObject.Parse(tokenResonse);
context.TokenEndpointResponse = new OpenIdConnectMessage(jsonTokenResponse);
}
}
...
});
为了最终调用检索 UserInfo,我必须更改身份服务器以在响应中包含一个与 Id 令牌中的主题相匹配的主题。这涉及更新 UserInfoController 以在 Get 方法中添加声明。
我正在尝试获取一个 ASP.Net 核心,以使用 OpenID Connect 对 Thinktecture V2 进行身份验证(我们目前需要 WS-Trust,因此无法升级)。
我的配置如下
app.UseCookieAuthentication(new CookieAuthenticationOptions());
X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadOnly);
var cert = certStore.Certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false);
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
RequireHttpsMetadata = false,
ClientId = _config["OpenID:ClientId"],
ClientSecret = _config["OpenID:ClientSecret"],
Authority = _config["OpenID:Authority"],
ResponseType = OpenIdConnectResponseType.Code,
PostLogoutRedirectUri = _config["OpenID:PostLogoutRedirectUri"],
SignInScheme = "Cookies",
CallbackPath = "/signin-oidc",
TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = new X509SecurityKey(cert[0]),
},
Configuration = new OpenIdConnectConfiguration
{
Issuer = "https://identityserver/IdentityServer/issue",
AuthorizationEndpoint = "https://identityserver/IdentityServer/issue/oidc/authorize",
TokenEndpoint = "https://identityserver/IdentityServer/issue/oidc/token",
UserInfoEndpoint = "https://identityserver/IdentityServer/issue/oidc/userinfo",
}
});
config.json
"OpenID": {
"ClientId": "Test",
"ClientSecret": "{6DD502AB-2AB1-4028-BD4A-85C91790EC7B}",
"Authority": "https://identityserver/IdentityServer/issue/oidc",
"PostLogoutRedirectUri": "https://localhost:44353/" }
当我尝试进行身份验证时,出现以下异常:
HttpRequestException:响应状态代码未指示成功:400(错误请求)。
来自thinktectureIdentityServer.svclog的踪迹是
如果有人能提供任何帮助,我们将不胜感激。
我已经通过处理 OnAuthorizationCodeReceivedEvent 并手动处理代码兑换解决了上述错误,我在其中添加了基本授权 header 来授权客户端。
new OpenIdConnectOptions
{
...
Events = new OpenIdConnectEvents
{
OnAuthorizationCodeReceived = async context =>
{
context.HandleCodeRedemption();
var requestMessage = new HttpRequestMessage(HttpMethod.Post, context.Options.Configuration.TokenEndpoint);
requestMessage.Content = new FormUrlEncodedContent(context.TokenEndpointRequest.Parameters);
var authString = string.Format("{0}", Convert.ToBase64String(Encoding.ASCII.GetBytes(_config["OpenID:ClientId"] + ":" + _config["OpenID:ClientSecret"])));
requestMessage.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", authString);
var responseMessage = await context.Backchannel.SendAsync(requestMessage);
responseMessage.EnsureSuccessStatusCode();
var tokenResonse = await responseMessage.Content.ReadAsStringAsync();
var jsonTokenResponse = JObject.Parse(tokenResonse);
context.TokenEndpointResponse = new OpenIdConnectMessage(jsonTokenResponse);
}
}
...
});
为了最终调用检索 UserInfo,我必须更改身份服务器以在响应中包含一个与 Id 令牌中的主题相匹配的主题。这涉及更新 UserInfoController 以在 Get 方法中添加声明。