为什么我在使用 Microsoft 帐户外部登录时在 IdentityServer4 日志中看到 "invalid client"?
Why do I see "invalid client" in the IdentityServer4 logs when using a Microsoft Account external login?
我有一个 IdentityServer4 实现,它有一个默认的内部 OIDC OpenIdConnect 中间件,以提供对本地 API 的访问和对外部登录提供商的支持,从 Microsoft 开始。我已经实现了一个自定义 IClientStore 并使用
将其附加到中间件
.AddClientStore<IS4ClientStore>();
当内部 OIDC 隐式连接授权时,IS4ClientStore.FindClientByIdAsync 由 BuildLoginViewModelAsync 调用,就像带有
的示例一样
_clientStore.FindEnabledClientByIdAsync(context.ClientId);
哪个 returns 预期的 IdentityServer4.Client 和一切都经过验证,等等
当我调用外部提供商 (Microsoft OAuth) 时,它会通过连接到我提供的 applicationid 的身份验证过程,通过 Microsoft 的声明过程,然后 Microsoft 重定向回 https://localhost:5001/signin-microsoft。
启动时调用 services.AddAuthentication().AddMicrosoftAccount(options) 的 asp.net 核心中间件没有使用我的客户端存储来查找客户端 ID,它只是报告错误:
Request starting HTTP/1.1 GET https://localhost:5001/signin-microsoft?code=M91ae2ef1-701d-ceb4-d479-a905d3d02a4d&state=CfDJ8GGNLFmYOI9KouhmbB3NzeJ5omhARPg-YVCPW7u1aCyhnGfOx9_Nj4VL8cMIxmO48nk_8UkfB9Pv7Q7tzZZb8nsq5y26giY9fXuVyRsn5qx8a1nSX8tKFWk1uo9ongL5V0MXY6sgU6eNUEzsxgyNFz_20QLVU20y9G7jRpmxoOcpQ1s1SJx0Tu2BBlRrI840-D-jUmg1ix7xDUfmXF_rPVp6e88rzIuCfbQO4otNq2fAsm4
info: Microsoft.AspNetCore.Authentication.MicrosoftAccount.MicrosoftAccountHandler[4]
Error from RemoteAuthentication: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
Date: Thu, 31 Jan 2019 08:43:04 GMT
;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};.
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLK7ARJEPT98", Request id "0HLK7DAJEPT98:00000005": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login. ---> System.Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
Date: Thu, 31 Jan 2019 08:43:04 GMT
;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in C:\local\identity\server4\IdentityServer4\src\Hosting\FederatedSignOut\AuthenticationRequestHandlerWrapper.cs:line 38
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 476.3734ms 500
我应该使用 IdentityServer4 中的 AddMicrosoftAccount 实现吗?
感谢 Jim 和 Mackie 为我指明了正确的方向(我认为这是由于我这边的自定义商店实施问题)
当我验证 https://apps.dev.microsoft.com/#/appList page, I noticed a link to go to the azure portal to manage my apps. (https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade 上的 clientid 和 secret 是否正确时)当我转到 link 时,我之前没有显示的应用程序,所以我只是创建了一个新的应用程序并获得了一个新的 ApplicationId(现在是一个 guid 而不是通过门户进入)和 Secret,将其插入 .AddMicrosoftAccount 调用,我能够通过 Microsoft 登录完成 Auth 过程并获得一个令牌来完成在我的服务器上进行身份验证。
我的猜测是,通过 apps.dev.microsoft.com 站点添加的部分应用程序在完成身份验证过程时不在 Microsoft 的后备存储中,这些应用程序可能在前端查询中并允许auth 页面以查找您的应用程序并提供同意页面,但随后在颁发令牌时,Microsoft 端正在不同的商店中查找,并且没有通过 apps.dev.microsoft.com 页面提供的 ApplicationId 找到该应用程序。因此,至少就我而言,解决方案是改为在 Azure 门户中创建应用程序。
我有一个 IdentityServer4 实现,它有一个默认的内部 OIDC OpenIdConnect 中间件,以提供对本地 API 的访问和对外部登录提供商的支持,从 Microsoft 开始。我已经实现了一个自定义 IClientStore 并使用
将其附加到中间件 .AddClientStore<IS4ClientStore>();
当内部 OIDC 隐式连接授权时,IS4ClientStore.FindClientByIdAsync 由 BuildLoginViewModelAsync 调用,就像带有
的示例一样 _clientStore.FindEnabledClientByIdAsync(context.ClientId);
哪个 returns 预期的 IdentityServer4.Client 和一切都经过验证,等等
当我调用外部提供商 (Microsoft OAuth) 时,它会通过连接到我提供的 applicationid 的身份验证过程,通过 Microsoft 的声明过程,然后 Microsoft 重定向回 https://localhost:5001/signin-microsoft。
启动时调用 services.AddAuthentication().AddMicrosoftAccount(options) 的 asp.net 核心中间件没有使用我的客户端存储来查找客户端 ID,它只是报告错误:
Request starting HTTP/1.1 GET https://localhost:5001/signin-microsoft?code=M91ae2ef1-701d-ceb4-d479-a905d3d02a4d&state=CfDJ8GGNLFmYOI9KouhmbB3NzeJ5omhARPg-YVCPW7u1aCyhnGfOx9_Nj4VL8cMIxmO48nk_8UkfB9Pv7Q7tzZZb8nsq5y26giY9fXuVyRsn5qx8a1nSX8tKFWk1uo9ongL5V0MXY6sgU6eNUEzsxgyNFz_20QLVU20y9G7jRpmxoOcpQ1s1SJx0Tu2BBlRrI840-D-jUmg1ix7xDUfmXF_rPVp6e88rzIuCfbQO4otNq2fAsm4
info: Microsoft.AspNetCore.Authentication.MicrosoftAccount.MicrosoftAccountHandler[4]
Error from RemoteAuthentication: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
Date: Thu, 31 Jan 2019 08:43:04 GMT
;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};.
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HLK7ARJEPT98", Request id "0HLK7DAJEPT98:00000005": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login. ---> System.Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
Date: Thu, 31 Jan 2019 08:43:04 GMT
;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in C:\local\identity\server4\IdentityServer4\src\Hosting\FederatedSignOut\AuthenticationRequestHandlerWrapper.cs:line 38
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 476.3734ms 500
我应该使用 IdentityServer4 中的 AddMicrosoftAccount 实现吗?
感谢 Jim 和 Mackie 为我指明了正确的方向(我认为这是由于我这边的自定义商店实施问题)
当我验证 https://apps.dev.microsoft.com/#/appList page, I noticed a link to go to the azure portal to manage my apps. (https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade 上的 clientid 和 secret 是否正确时)当我转到 link 时,我之前没有显示的应用程序,所以我只是创建了一个新的应用程序并获得了一个新的 ApplicationId(现在是一个 guid 而不是通过门户进入)和 Secret,将其插入 .AddMicrosoftAccount 调用,我能够通过 Microsoft 登录完成 Auth 过程并获得一个令牌来完成在我的服务器上进行身份验证。
我的猜测是,通过 apps.dev.microsoft.com 站点添加的部分应用程序在完成身份验证过程时不在 Microsoft 的后备存储中,这些应用程序可能在前端查询中并允许auth 页面以查找您的应用程序并提供同意页面,但随后在颁发令牌时,Microsoft 端正在不同的商店中查找,并且没有通过 apps.dev.microsoft.com 页面提供的 ApplicationId 找到该应用程序。因此,至少就我而言,解决方案是改为在 Azure 门户中创建应用程序。