ADFS - 客户端凭证授权流程 - 资源服务器不验证 jwt
ADFS - Client credential Grant flow - resource server doesn't validate jwt
我在 ADFS 中创建了一个应用程序组,其中包含 1 个客户端和 1 个资源服务器。
我已经设法在客户端实现流程(我获得了访问令牌),但是当传递到资源服务器 api 时,它不会验证访问令牌。我错过了什么?
我在资源服务器startup.cs中的代码如下:
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCors(CorsOptions.AllowAll);
ConfigureOAuth(app);
// more code here
}
public void ConfigureOAuth(IAppBuilder app)
{
var issuer = "http://adfserver/adfs/services/trust";
var audience = "https://client";
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudience = audience,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
},
});
}
已成功解决问题。我必须从 ADFS 服务器获取登录密钥。下面是一个工作代码:
public void ConfigureOAuth(IAppBuilder app) {
var issuer = $"http://{myAdfSserver}/adfs/services/trust";
var audience = "audience";
ConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>(
$"https://{myAdfSserver}/adfs/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever());
var openIdConfig = await configurationManager.GetConfigurationAsync();
TokenValidationParameters validationParameters =new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudience = audience,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateLifetime = true
};
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new string[] { audience },
TokenValidationParameters = validationParameters
});
}
此外,请确保您的 Web 请求使用的是 TLS12(默认使用 .net framework 4.6.1)。我已经在 Startup.cs class.
中进行了设置
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
我在 ADFS 中创建了一个应用程序组,其中包含 1 个客户端和 1 个资源服务器。 我已经设法在客户端实现流程(我获得了访问令牌),但是当传递到资源服务器 api 时,它不会验证访问令牌。我错过了什么?
我在资源服务器startup.cs中的代码如下:
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCors(CorsOptions.AllowAll);
ConfigureOAuth(app);
// more code here
}
public void ConfigureOAuth(IAppBuilder app)
{
var issuer = "http://adfserver/adfs/services/trust";
var audience = "https://client";
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudience = audience,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
},
});
}
已成功解决问题。我必须从 ADFS 服务器获取登录密钥。下面是一个工作代码:
public void ConfigureOAuth(IAppBuilder app) {
var issuer = $"http://{myAdfSserver}/adfs/services/trust";
var audience = "audience";
ConfigurationManager<OpenIdConnectConfiguration> configurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>(
$"https://{myAdfSserver}/adfs/.well-known/openid-configuration",
new OpenIdConnectConfigurationRetriever());
var openIdConfig = await configurationManager.GetConfigurationAsync();
TokenValidationParameters validationParameters =new TokenValidationParameters
{
ValidateIssuer = true,
ValidIssuer = issuer,
ValidateAudience = true,
ValidAudience = audience,
RequireSignedTokens = true,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = openIdConfig.SigningKeys,
ValidateLifetime = true
};
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new string[] { audience },
TokenValidationParameters = validationParameters
});
}
此外,请确保您的 Web 请求使用的是 TLS12(默认使用 .net framework 4.6.1)。我已经在 Startup.cs class.
中进行了设置ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;