如何将 OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost 添加到 configuration.IntrospectionEndpointAuthMethodsSupported
How add OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost to configuration.IntrospectionEndpointAuthMethodsSupported
我试图在方法 GetIntrospectionPayloadAsync (AspNet.Security.OAuth.Introspection\OAuthIntrospectionHandler.cs, https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/blob/dev/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs) 中获取表达式的第一个分支,但我的 PDB 仅包含第二种情况。
据我了解,我应该在 IntrospectionEndpointAuthMethodsSupported 中 添加 ClientSecretPost,但找不到我应该在哪里做。 (使用 Core 1.0)
你能解释一下我应该在哪里添加这个选项吗?
// If the introspection endpoint provided by the authorization server supports
// client_secret_post, flow the client credentials as regular OAuth2 parameters.
// See https://tools.ietf.org/html/draft-ietf-oauth-discovery-05#section-2
// and https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
if (configuration.IntrospectionEndpointAuthMethodsSupported.Contains(OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost))
{
parameters[OAuthIntrospectionConstants.Parameters.ClientId] = Options.ClientId;
parameters[OAuthIntrospectionConstants.Parameters.ClientSecret] = Options.ClientSecret;
}
// Otherwise, assume the authorization server only supports basic authentication,
// as it's the only authentication method required by the OAuth2 specification.
// See https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
else
{
var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
request.Headers.Authorization = new AuthenticationHeaderValue(OAuthIntrospectionConstants.Schemes.Basic, credentials);
}
UPD
授权服务启动:
app.UseOpenIdConnectServer(options =>{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
options.LogoutEndpointPath = "/connect/logout";
options.UserinfoEndpointPath = "/connect/userinfo";
options.IntrospectionEndpointPath = "/connect/introspect";
options.RevocationEndpointPath = "/connect/revoke";
options.ApplicationCanDisplayErrors = openIdOptions.Value.ApplicationCanDisplayErrors;
options.AllowInsecureHttp = openIdOptions.Value.AllowInsecureHttp;
options.AccessTokenLifetime = openIdOptions.Value.AccessTokenLifetime;
分层 api:
branch.UseOAuthIntrospection(options =>
{
options.ClientId = openIdConnectOptions.Value.ClientId;
options.ClientSecret = openIdConnectOptions.Value.ClientSecret;
options.Authority = openIdConnectOptions.Value.Authority;
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
});
introspection_endpoint_auth_methods_supported 由授权服务器作为发现文档的一部分返回(假设它支持 OAuth2 发现草案)。
属性 aspnet-contrib OpenID Connect 服务器中间件和 OpenIddict 均支持此 属性。
如果您的授权服务器不支持此 属性,您可以将内省处理程序配置为不使用发现并强制它使用您选择的静态配置:
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Audiences.Add("resource-server-1");
options.ClientId = "resource-server-1";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.Configuration = new OAuthIntrospectionConfiguration
{
IntrospectionEndpoint = "http://localhost:12345/connect/introspect",
IntrospectionEndpointAuthMethodsSupported =
{
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretBasic,
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost
}
};
});
我试图在方法 GetIntrospectionPayloadAsync (AspNet.Security.OAuth.Introspection\OAuthIntrospectionHandler.cs, https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/blob/dev/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs) 中获取表达式的第一个分支,但我的 PDB 仅包含第二种情况。 据我了解,我应该在 IntrospectionEndpointAuthMethodsSupported 中 添加 ClientSecretPost,但找不到我应该在哪里做。 (使用 Core 1.0)
你能解释一下我应该在哪里添加这个选项吗?
// If the introspection endpoint provided by the authorization server supports
// client_secret_post, flow the client credentials as regular OAuth2 parameters.
// See https://tools.ietf.org/html/draft-ietf-oauth-discovery-05#section-2
// and https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
if (configuration.IntrospectionEndpointAuthMethodsSupported.Contains(OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost))
{
parameters[OAuthIntrospectionConstants.Parameters.ClientId] = Options.ClientId;
parameters[OAuthIntrospectionConstants.Parameters.ClientSecret] = Options.ClientSecret;
}
// Otherwise, assume the authorization server only supports basic authentication,
// as it's the only authentication method required by the OAuth2 specification.
// See https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
else
{
var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
request.Headers.Authorization = new AuthenticationHeaderValue(OAuthIntrospectionConstants.Schemes.Basic, credentials);
}
UPD 授权服务启动:
app.UseOpenIdConnectServer(options =>{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
options.LogoutEndpointPath = "/connect/logout";
options.UserinfoEndpointPath = "/connect/userinfo";
options.IntrospectionEndpointPath = "/connect/introspect";
options.RevocationEndpointPath = "/connect/revoke";
options.ApplicationCanDisplayErrors = openIdOptions.Value.ApplicationCanDisplayErrors;
options.AllowInsecureHttp = openIdOptions.Value.AllowInsecureHttp;
options.AccessTokenLifetime = openIdOptions.Value.AccessTokenLifetime;
分层 api:
branch.UseOAuthIntrospection(options =>
{
options.ClientId = openIdConnectOptions.Value.ClientId;
options.ClientSecret = openIdConnectOptions.Value.ClientSecret;
options.Authority = openIdConnectOptions.Value.Authority;
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
});
introspection_endpoint_auth_methods_supported 由授权服务器作为发现文档的一部分返回(假设它支持 OAuth2 发现草案)。
属性 aspnet-contrib OpenID Connect 服务器中间件和 OpenIddict 均支持此 属性。
如果您的授权服务器不支持此 属性,您可以将内省处理程序配置为不使用发现并强制它使用您选择的静态配置:
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Audiences.Add("resource-server-1");
options.ClientId = "resource-server-1";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.Configuration = new OAuthIntrospectionConfiguration
{
IntrospectionEndpoint = "http://localhost:12345/connect/introspect",
IntrospectionEndpointAuthMethodsSupported =
{
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretBasic,
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost
}
};
});