在当前主体上找到的 Identity Server 4 范围:“”
Identity Server 4 Scopes found on current principal: ""
我试图在授予 API 访问权限之前使用 Identity Server 4 对用户进行身份验证。我正在使用隐式配置,因为前端是 Ember JS 应用程序。我已经能够登录,显示同意屏幕,然后导航到 redirectUri。但是,一旦 Bearer Token 被发送到 API,我就会收到 403.
我在返回 403 之前能够在日志中找到它声明没有为当前原则指定任何范围。但是我还没有找到其他人报告同样的问题,所以我不确定我做错了什么。
如有任何帮助,我们将不胜感激。
API日志
2017-03-27 15:24:35.358 -05:00 [Information] Request starting HTTP/1.1 GET http://localhost:55026/incentives/api/categories application/json
2017-03-27 15:24:36.035 -05:00 [Information] Successfully validated the token.
2017-03-27 15:24:36.046 -05:00 [Information] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: "Bearer".
2017-03-27 15:24:36.048 -05:00 [Information] AuthenticationScheme: "Bearer" was successfully authenticated.
2017-03-27 15:24:36.051 -05:00 [Information] Scopes found on current principal: ""
2017-03-27 15:24:36.053 -05:00 [Warning] Scope validation failed. Return 403
2017-03-27 15:24:36.059 -05:00 [Debug] Connection id ""0HL3L9SNQEILQ"" completed keep alive response.
2017-03-27 15:24:36.060 -05:00 [Information] Request finished in 702.0523ms 403
new Client
{
ClientName = "IncentivesClient",
ClientId = "IncentivesClient",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:4200/authorized"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:4200/unauthorized"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:4200"
},
AllowedScopes = new List<string>
{
StandardScopes.OpenId,
StandardScopes.Email,
StandardScopes.Profile,
"incentiveRecords",
"incentiverecordsscope",
}
}
这是API设置
IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
{
Authority = "https://localhost:44357",
RequireHttpsMetadata = true,
AllowedScopes = new List<string> { "incentiveRecords" },
ApiSecret = "incentiveRecordsSecret",
ApiName = "incentiveRecords",
AutomaticAuthenticate = true,
SupportedTokens = SupportedTokens.Both,
AuthenticationScheme = "Bearer",
SaveToken = true,
ValidateScope = true,
// TokenRetriever = _tokenRetriever,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true,
};
我找到的用于为 OATH2 实现您自己的 torii 提供程序的示例指示在响应参数中包含 'id_token' 和 'token',考虑到它们是在中使用的响应类型,这是有意义的我的隐式配置。更令人困惑的是 id_token 和令牌在承诺之后都成功获取了值。令我困扰的是它们是相同的,当我解码它们时,观众被设置为客户端而不是包括资源服务器。所以超级简单的答案是将 'token' 响应参数更改为 'access_token'。现在我能够从承诺中获得正确的令牌并继续在 Auth header 中使用它。希望这对其他人有帮助。
我试图在授予 API 访问权限之前使用 Identity Server 4 对用户进行身份验证。我正在使用隐式配置,因为前端是 Ember JS 应用程序。我已经能够登录,显示同意屏幕,然后导航到 redirectUri。但是,一旦 Bearer Token 被发送到 API,我就会收到 403.
我在返回 403 之前能够在日志中找到它声明没有为当前原则指定任何范围。但是我还没有找到其他人报告同样的问题,所以我不确定我做错了什么。
如有任何帮助,我们将不胜感激。
API日志
2017-03-27 15:24:35.358 -05:00 [Information] Request starting HTTP/1.1 GET http://localhost:55026/incentives/api/categories application/json
2017-03-27 15:24:36.035 -05:00 [Information] Successfully validated the token.
2017-03-27 15:24:36.046 -05:00 [Information] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: "Bearer".
2017-03-27 15:24:36.048 -05:00 [Information] AuthenticationScheme: "Bearer" was successfully authenticated.
2017-03-27 15:24:36.051 -05:00 [Information] Scopes found on current principal: ""
2017-03-27 15:24:36.053 -05:00 [Warning] Scope validation failed. Return 403
2017-03-27 15:24:36.059 -05:00 [Debug] Connection id ""0HL3L9SNQEILQ"" completed keep alive response.
2017-03-27 15:24:36.060 -05:00 [Information] Request finished in 702.0523ms 403
new Client
{
ClientName = "IncentivesClient",
ClientId = "IncentivesClient",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:4200/authorized"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:4200/unauthorized"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:4200"
},
AllowedScopes = new List<string>
{
StandardScopes.OpenId,
StandardScopes.Email,
StandardScopes.Profile,
"incentiveRecords",
"incentiverecordsscope",
}
}
这是API设置
IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
{
Authority = "https://localhost:44357",
RequireHttpsMetadata = true,
AllowedScopes = new List<string> { "incentiveRecords" },
ApiSecret = "incentiveRecordsSecret",
ApiName = "incentiveRecords",
AutomaticAuthenticate = true,
SupportedTokens = SupportedTokens.Both,
AuthenticationScheme = "Bearer",
SaveToken = true,
ValidateScope = true,
// TokenRetriever = _tokenRetriever,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true,
};
我找到的用于为 OATH2 实现您自己的 torii 提供程序的示例指示在响应参数中包含 'id_token' 和 'token',考虑到它们是在中使用的响应类型,这是有意义的我的隐式配置。更令人困惑的是 id_token 和令牌在承诺之后都成功获取了值。令我困扰的是它们是相同的,当我解码它们时,观众被设置为客户端而不是包括资源服务器。所以超级简单的答案是将 'token' 响应参数更改为 'access_token'。现在我能够从承诺中获得正确的令牌并继续在 Auth header 中使用它。希望这对其他人有帮助。