Thinktecture "insufficient_scope" 错误。单一范围声明与范围列表
Thinktecture "insufficient_scope" error. Singular scope claim versus list of scopes
我相信答案是显而易见的,但我现在还不知道。
当我的代码尝试调用 /connect/userinfo 并且消息是 "insufficient_scope".
时,我得到了 403
以上代码行检查 JWT 中的范围声明,并希望找到 "openid" 的值以使 /connect/userinfo 端点正常工作。
在我的 JWT 中,如果它有类似的东西:
"scope": "openid"
...那么端点就可以了。相反,如果我有:
"scope": ["openid", "email", "profile"]
...然后它失败了。
我应该永远不会有 list/array 范围声明吗?也许我在某处缺少配置设置?
更新代码
对不起。当然代码会让问题更清楚。
客户端商店
public ClientStore()
{
_clients = new List<Client>
{
new Client
{
AlwaysSendClientClaims = true,
RequireConsent = false,
Enabled = true,
ClientName = @"MVC Client",
ClientId = @"mvc",
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/index.html"
},
RedirectUris = new List<string>
{
"http://localhost:8080/loginCallback.html"
}
}
};
}
范围商店
public ScopeStore()
{
var scopes = new List<Scope>
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.AllClaims,
StandardScopes.RolesAlwaysInclude
};
_scopes = scopes;
}
Startup.cs
var certFile = env.ApplicationBasePath + "/cert.pfx";
app.Map("/core", core =>
{
var factory = new IdentityServerServiceFactory();
var configuration = new Configuration();
configuration.AddJsonFile("config.json");
var userService = new EndUserService(configuration.Get("ConnectionString"));
factory.UserService = new Registration<IUserService>(resolver => userService);
var scopeStore = new ScopeStore();
factory.ScopeStore = new Registration<IScopeStore>(resolver => scopeStore);
var clientStore = new ClientStore();
factory.ClientStore = new Registration<IClientStore>(resolver => clientStore);
var cert = new X509Certificate2(certFile, "test");
var idsrvOptions = new IdentityServerOptions
{
CorsPolicy = CorsPolicy.AllowAll,
Factory = factory,
RequireSsl = false,
SigningCertificate = cert,
LoggingOptions = new LoggingOptions() {
EnableWebApiDiagnostics = true,
EnableHttpLogging = true
}
};
core.UseIdentityServer(idsrvOptions);
});
Login.html
var config = {
client_id: "mvc",
redirect_uri: "http://localhost:8080/loginCallback.html",
response_type: "id_token token",
scope: "openid email profile",
authority: "http://localhost:44319/core",
post_logout_redirect_uri: "http://localhost:8080/index.html"
};
var mgr = new OidcTokenManager(config);
更新 #2
开始,这是单声道与 Windows 的对比。在 Windows 中工作正常,在 Mono 中损坏。显然已知问题:https://github.com/IdentityServer/IdentityServer3/issues/1373#issuecomment-104756822
您请求的范围似乎在您的 Identity Server 实现中的客户端配置中未启用。
你应该有一个 class 与客户和他们的 ScopeRestrictions 像 this。您需要将电子邮件和配置文件范围添加到此范围列表。
事实证明,Microsoft 的 JWT 库解释 JWT 声明的方式存在错误。此处描述:https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/153
等待该拉取请求被接受或以其他方式解决问题。
我相信答案是显而易见的,但我现在还不知道。
当我的代码尝试调用 /connect/userinfo 并且消息是 "insufficient_scope".
时,我得到了 403以上代码行检查 JWT 中的范围声明,并希望找到 "openid" 的值以使 /connect/userinfo 端点正常工作。
在我的 JWT 中,如果它有类似的东西:
"scope": "openid"
...那么端点就可以了。相反,如果我有:
"scope": ["openid", "email", "profile"]
...然后它失败了。
我应该永远不会有 list/array 范围声明吗?也许我在某处缺少配置设置?
更新代码
对不起。当然代码会让问题更清楚。
客户端商店
public ClientStore()
{
_clients = new List<Client>
{
new Client
{
AlwaysSendClientClaims = true,
RequireConsent = false,
Enabled = true,
ClientName = @"MVC Client",
ClientId = @"mvc",
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/index.html"
},
RedirectUris = new List<string>
{
"http://localhost:8080/loginCallback.html"
}
}
};
}
范围商店
public ScopeStore()
{
var scopes = new List<Scope>
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.AllClaims,
StandardScopes.RolesAlwaysInclude
};
_scopes = scopes;
}
Startup.cs
var certFile = env.ApplicationBasePath + "/cert.pfx";
app.Map("/core", core =>
{
var factory = new IdentityServerServiceFactory();
var configuration = new Configuration();
configuration.AddJsonFile("config.json");
var userService = new EndUserService(configuration.Get("ConnectionString"));
factory.UserService = new Registration<IUserService>(resolver => userService);
var scopeStore = new ScopeStore();
factory.ScopeStore = new Registration<IScopeStore>(resolver => scopeStore);
var clientStore = new ClientStore();
factory.ClientStore = new Registration<IClientStore>(resolver => clientStore);
var cert = new X509Certificate2(certFile, "test");
var idsrvOptions = new IdentityServerOptions
{
CorsPolicy = CorsPolicy.AllowAll,
Factory = factory,
RequireSsl = false,
SigningCertificate = cert,
LoggingOptions = new LoggingOptions() {
EnableWebApiDiagnostics = true,
EnableHttpLogging = true
}
};
core.UseIdentityServer(idsrvOptions);
});
Login.html
var config = {
client_id: "mvc",
redirect_uri: "http://localhost:8080/loginCallback.html",
response_type: "id_token token",
scope: "openid email profile",
authority: "http://localhost:44319/core",
post_logout_redirect_uri: "http://localhost:8080/index.html"
};
var mgr = new OidcTokenManager(config);
更新 #2
开始,这是单声道与 Windows 的对比。在 Windows 中工作正常,在 Mono 中损坏。显然已知问题:https://github.com/IdentityServer/IdentityServer3/issues/1373#issuecomment-104756822
您请求的范围似乎在您的 Identity Server 实现中的客户端配置中未启用。
你应该有一个 class 与客户和他们的 ScopeRestrictions 像 this。您需要将电子邮件和配置文件范围添加到此范围列表。
事实证明,Microsoft 的 JWT 库解释 JWT 声明的方式存在错误。此处描述:https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/153
等待该拉取请求被接受或以其他方式解决问题。