IdentityServer3:OWIN Katana 中间件抛出 "invalid_client" 错误,因为它无法获取令牌
IdentityServer3: OWIN Katana middleware is throwing "invalid_client" error as it cannot get a token
我们使用 IdentityServer3 作为身份提供者和 OWIN Katana 中间件来进行基于 OpenId Connect 的握手。当我们被重定向到身份服务器并返回到原始网站时,身份验证工作正常。但是当我尝试检索令牌并在 "OpenIdConnectAuthenticationNotifications" 中获取声明时,出现了 invalid_client 的问题。
请检查下面的代码(启动 class)和随附的屏幕截图。
public sealed class Startup
{
public void Configuration(IAppBuilder app)
{
string ClientUri = @"https://client.local";
string IdServBaseUri = @"https://idm.website.com/core";l
string TokenEndpoint = @"https://idm.website.com/core/connect/token";
string UserInfoEndpoint = @"https://idm.website.com/core/connect/userinfo";
string ClientId = @"WebPortalDemo";
string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE=";
//AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = IdServBaseUri,
RedirectUri = ClientUri,
PostLogoutRedirectUri = ClientUri,
ResponseType = "code id_token token",
Scope = "openid profile roles",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
TokenEndpoint,
ClientId,
ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient(UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
//id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
}
}
IdSvr3 的客户端配置已指定使用混合流,我已多次检查客户端 ID 和客户端密码以验证它们是否正确。
这是服务器端的客户端配置:
我可以通过查看身份服务器生成的日志来解决问题。日志说客户端密码不正确,当我多次检查该密码与身份服务器上显示的内容完全一致时。但后来我意识到秘密应该是实际的文本而不是散列的文本。修改后的有效代码如下:
string ClientId = @"WebPortalDemo";
//string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE="; // Incorrect secret, didn't work
string ClientSecret = @"love"; // Actual text entered as secret, worked
来源:@rawel
我们使用 IdentityServer3 作为身份提供者和 OWIN Katana 中间件来进行基于 OpenId Connect 的握手。当我们被重定向到身份服务器并返回到原始网站时,身份验证工作正常。但是当我尝试检索令牌并在 "OpenIdConnectAuthenticationNotifications" 中获取声明时,出现了 invalid_client 的问题。
请检查下面的代码(启动 class)和随附的屏幕截图。
public sealed class Startup
{
public void Configuration(IAppBuilder app)
{
string ClientUri = @"https://client.local";
string IdServBaseUri = @"https://idm.website.com/core";l
string TokenEndpoint = @"https://idm.website.com/core/connect/token";
string UserInfoEndpoint = @"https://idm.website.com/core/connect/userinfo";
string ClientId = @"WebPortalDemo";
string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE=";
//AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = IdServBaseUri,
RedirectUri = ClientUri,
PostLogoutRedirectUri = ClientUri,
ResponseType = "code id_token token",
Scope = "openid profile roles",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
TokenEndpoint,
ClientId,
ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient(UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
//id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
}
}
IdSvr3 的客户端配置已指定使用混合流,我已多次检查客户端 ID 和客户端密码以验证它们是否正确。
这是服务器端的客户端配置:
我可以通过查看身份服务器生成的日志来解决问题。日志说客户端密码不正确,当我多次检查该密码与身份服务器上显示的内容完全一致时。但后来我意识到秘密应该是实际的文本而不是散列的文本。修改后的有效代码如下:
string ClientId = @"WebPortalDemo";
//string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE="; // Incorrect secret, didn't work
string ClientSecret = @"love"; // Actual text entered as secret, worked
来源:@rawel