客户端的无效流:隐式。身份服务器授权
Invalid flow for client: Implicit. identity server authorization
我正在尝试使用身份服务器授权一个应用程序,但是当我尝试登录时它提示 The client application is not known or is not authorized。我正在尝试使用此端点和凭据进行授权,使用 returns 一个要重定向的字符串的函数。
function create_login_url(){
return "indentiy-dev12:8443/connect/authorize?"
."client_id=" ."MyClient". "&" .
"scope=" . urlencode(openid profile read write email roles) . "&" .
"redirect_uri=" . "http://localhost:8080/my-page/validate.php" . "&" .
"response_mode=" . "form_post" . "&" .
"state=" . time() . rand() . "&" .
"nonce=" . rand() . time() . "&" .
"reponse_type=" . urlencode(id_token token);
}
客户端是使用以下信息创建的:
{
ClientName = "My Client",
Enabled = true,
ClientId = "MyClient",
ClientSecrets = new List<ClientSecret>
{
new ClientSecret("MyClient".Sha256())
},
RedirectUris = new List<string>
{
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php",
},
PostLogoutRedirectUris = new List<string>
{
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php",
},
Flow = Flows.ResourceOwner
}
日志是这样写的:
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 9/25/2017 5:35:14 PM +00:00 -- Start authorize request client validation
Debug: [Cache]: 9/25/2017 5:35:14 PM +00:00 -- Cache hit: MyClient
w3wp.exe Error: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 9/25/2017 5:35:14 PM +00:00 -- Invalid flow for client: Implicit
{
"ClientId": "MyClient",
"ClientName": "My Client",
"RedirectUri": "http://localhost:8080/my-page/validate.php",
"AllowedRedirectUris": [
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php"
],
"SubjectId": "user.fabio",
"ResponseType": "id_token token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "openid profile read write email roles",
"State": "15063609141165646676",
"Nonce": "15954663491506360914",
"SessionId": "33e89e5746b59e895c5d6edf6b5220b4",
"Raw": {
"client_id": "MyClient",
"scope": "openid profile read write email roles",
"redirect_uri": "http://localhost:8080/my-page/validate.php",
"response_mode": "form_post",
"state": "15063609141165646676",
"nonce": "15954663491506360914",
"response_type": "id_token token"
}
}
w3wp.exe Information: 0 : [Events]: 9/25/2017 5:35:14 PM +00:00 -- {
"Category": "Endpoints",
"Name": "Endpoint failure",
"EventType": "Failure",
"Id": 3001,
"Message": "unauthorized_client",
"Details": {
"EndpointName": "authorize"
},
"Context": {
"ActivityId": "c30c1550-4cf7-4527-8d09-b42e2557ffaa",
"TimeStamp": "2017-09-25T17:35:14.1943477+00:00",
"ProcessId": 696,
"MachineName": "machine-name",
"RemoteIpAddress": "192.168.70.28",
"SubjectId": "user.fabio"
}
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 9/25/2017 5:35:14 PM +00:00 -- End authorize request
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- AuthorizationCodeStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- TokenHandleStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- ConsentStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- RefreshTokenStore not configured - falling back to InMemory
w3wp.exe Information: 0 : [Events]: 9/25/2017 6:33:39 PM +00:00 -- {
"Category": "Information",
"Name": "Signing certificate validation success",
"EventType": "Information",
"Id": 4012,
"Details": {
"SigningCertificateName": "CN=idsrv3test",
"SigningCertificateExpiration": "2020-01-20T16:00:00-06:00"
},
"Context": {
"TimeStamp": "2017-09-25T18:33:39.0033098+00:00",
"ProcessId": 8468,
"MachineName": "machine-name"
}
}
我尝试登录的服务器不在我的电脑中。还有一个客户端可以登录成功
您的登录请求要求身份令牌和访问令牌。这转化为隐式授权类型。
然而,您的客户端条目配置为 ROPC 授权类型。 ROPC 不是真正 身份验证,也不是 OpenID Connect,因此您无法使用它获取身份令牌。这就是您从 IdentityServer 收到错误消息的原因。
您需要将客户端流更改为 Flows.Implicit
P.S。看起来您使用的是非常旧的 IdentityServer 版本。他们几年前就放弃了 Thinktecture 前缀。您可能想调查一下。
我正在尝试使用身份服务器授权一个应用程序,但是当我尝试登录时它提示 The client application is not known or is not authorized。我正在尝试使用此端点和凭据进行授权,使用 returns 一个要重定向的字符串的函数。
function create_login_url(){
return "indentiy-dev12:8443/connect/authorize?"
."client_id=" ."MyClient". "&" .
"scope=" . urlencode(openid profile read write email roles) . "&" .
"redirect_uri=" . "http://localhost:8080/my-page/validate.php" . "&" .
"response_mode=" . "form_post" . "&" .
"state=" . time() . rand() . "&" .
"nonce=" . rand() . time() . "&" .
"reponse_type=" . urlencode(id_token token);
}
客户端是使用以下信息创建的:
{
ClientName = "My Client",
Enabled = true,
ClientId = "MyClient",
ClientSecrets = new List<ClientSecret>
{
new ClientSecret("MyClient".Sha256())
},
RedirectUris = new List<string>
{
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php",
},
PostLogoutRedirectUris = new List<string>
{
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php",
},
Flow = Flows.ResourceOwner
}
日志是这样写的:
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 9/25/2017 5:35:14 PM +00:00 -- Start authorize request client validation
Debug: [Cache]: 9/25/2017 5:35:14 PM +00:00 -- Cache hit: MyClient
w3wp.exe Error: 0 : [Thinktecture.IdentityServer.Core.Validation.AuthorizeRequestValidator]: 9/25/2017 5:35:14 PM +00:00 -- Invalid flow for client: Implicit
{
"ClientId": "MyClient",
"ClientName": "My Client",
"RedirectUri": "http://localhost:8080/my-page/validate.php",
"AllowedRedirectUris": [
"http://192.168.0.30/my-page/validate.php",
"http://localhost:8080/my-page/validate.php"
],
"SubjectId": "user.fabio",
"ResponseType": "id_token token",
"ResponseMode": "form_post",
"Flow": "Implicit",
"RequestedScopes": "openid profile read write email roles",
"State": "15063609141165646676",
"Nonce": "15954663491506360914",
"SessionId": "33e89e5746b59e895c5d6edf6b5220b4",
"Raw": {
"client_id": "MyClient",
"scope": "openid profile read write email roles",
"redirect_uri": "http://localhost:8080/my-page/validate.php",
"response_mode": "form_post",
"state": "15063609141165646676",
"nonce": "15954663491506360914",
"response_type": "id_token token"
}
}
w3wp.exe Information: 0 : [Events]: 9/25/2017 5:35:14 PM +00:00 -- {
"Category": "Endpoints",
"Name": "Endpoint failure",
"EventType": "Failure",
"Id": 3001,
"Message": "unauthorized_client",
"Details": {
"EndpointName": "authorize"
},
"Context": {
"ActivityId": "c30c1550-4cf7-4527-8d09-b42e2557ffaa",
"TimeStamp": "2017-09-25T17:35:14.1943477+00:00",
"ProcessId": 696,
"MachineName": "machine-name",
"RemoteIpAddress": "192.168.70.28",
"SubjectId": "user.fabio"
}
}
w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthorizeEndpointController]: 9/25/2017 5:35:14 PM +00:00 -- End authorize request
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- AuthorizationCodeStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- TokenHandleStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- ConsentStore not configured - falling back to InMemory
w3wp.exe Warning: 0 : [Thinktecture.IdentityServer.Core.Configuration.IdentityServerServiceFactory]: 9/25/2017 6:33:38 PM +00:00 -- RefreshTokenStore not configured - falling back to InMemory
w3wp.exe Information: 0 : [Events]: 9/25/2017 6:33:39 PM +00:00 -- {
"Category": "Information",
"Name": "Signing certificate validation success",
"EventType": "Information",
"Id": 4012,
"Details": {
"SigningCertificateName": "CN=idsrv3test",
"SigningCertificateExpiration": "2020-01-20T16:00:00-06:00"
},
"Context": {
"TimeStamp": "2017-09-25T18:33:39.0033098+00:00",
"ProcessId": 8468,
"MachineName": "machine-name"
}
}
我尝试登录的服务器不在我的电脑中。还有一个客户端可以登录成功
您的登录请求要求身份令牌和访问令牌。这转化为隐式授权类型。
然而,您的客户端条目配置为 ROPC 授权类型。 ROPC 不是真正 身份验证,也不是 OpenID Connect,因此您无法使用它获取身份令牌。这就是您从 IdentityServer 收到错误消息的原因。
您需要将客户端流更改为 Flows.Implicit
P.S。看起来您使用的是非常旧的 IdentityServer 版本。他们几年前就放弃了 Thinktecture 前缀。您可能想调查一下。