无法使用 IdentityServer3.AccessTokenValidation 验证令牌
unable to validate token using IdentityServer3.AccessTokenValidation
我正在尝试使用 IdentityServer3.AccessTokenValidation 验证从 IDS4 生成的令牌,但我每次都收到 401。
我遵循了我在不同文章中看到的建议:
- https://andrewlock.net/debugging-jwt-validation-problems-between-an-owin-app-and-identityserver4-2/
- https://github.com/joaocolombo/IS4/blob/master/ApiIdentity/ApiIdentityNetFramework/Startup.cs
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
var builder = new ContainerBuilder();
builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
var executingAssembly = Assembly.GetExecutingAssembly();
Api.Register(builder, executingAssembly);
builder.RegisterWebApiFilterProvider(GlobalConfiguration.Configuration);
builder.RegisterAssemblyModules(executingAssembly);
var container = builder.Build();
config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
var webApiResolver = new AutofacWebApiDependencyResolver(container);
GlobalConfiguration.Configuration.DependencyResolver = webApiResolver;
app.UseCors(CorsOptions.AllowAll);
app.UseAutofacWebApi(config);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var options = new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["IdentityServer:Authority"],
AuthenticationType = "Bearer",
RequiredScopes = new[] { ConfigurationManager.AppSettings["IdentityServer:ApiScope"] },
};
app.UseIdentityServerBearerTokenAuthentication(options);
WebApiConfig.Register(config);
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
这应该授权我从应用程序发送的令牌,但是
授权应用于所有控制器,但我看到控制器的构造函数被命中但未调用操作,这是否意味着令牌验证工作正常?
但我看到我发送的权限也是正确的。
我在打开 katana 日志记录后收到以下错误:
IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider Information: 0 : Error returned from token validation endpoint: Not Found
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : invalid bearer token received
您需要 ClientId 和 Client Secret - Api 是一种资源,但由于您使用的是引用令牌,因此您需要这样的东西:
{
Authority = "https://idsrvurl:44333/core",
RequiredScopes = new[] { "api1" },
ClientId = "api1",
ClientSecret = "secret"
});
我在这个问题上花了很多时间。上面列出的解决方案在许多其他文章中都有,但它对我不起作用。
我为 Katana 添加了跟踪功能,这对我帮助很大。我补充说:
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="katana.trace.log" traceOutputOptions="ProcessId, DateTime" />
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose" />
</switches>
搜索这些错误,我发现这篇文章解决了我的问题:https://github.com/IdentityServer/IdentityServer4/issues/3705
我必须更改我的 IdServer4,以便它使用 JWT 令牌而不是 at+jwt。我还启用了 EmitLegacyResourceAudienceClaim。
后来我将 IdentityServer3.Contrib.AccessTokenValidation 添加到我的 webapi,以便它接受 JWT (at+jwt) 的显式输入。
我正在尝试使用 IdentityServer3.AccessTokenValidation 验证从 IDS4 生成的令牌,但我每次都收到 401。
我遵循了我在不同文章中看到的建议:
- https://andrewlock.net/debugging-jwt-validation-problems-between-an-owin-app-and-identityserver4-2/
- https://github.com/joaocolombo/IS4/blob/master/ApiIdentity/ApiIdentityNetFramework/Startup.cs
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
var builder = new ContainerBuilder();
builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
var executingAssembly = Assembly.GetExecutingAssembly();
Api.Register(builder, executingAssembly);
builder.RegisterWebApiFilterProvider(GlobalConfiguration.Configuration);
builder.RegisterAssemblyModules(executingAssembly);
var container = builder.Build();
config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
var webApiResolver = new AutofacWebApiDependencyResolver(container);
GlobalConfiguration.Configuration.DependencyResolver = webApiResolver;
app.UseCors(CorsOptions.AllowAll);
app.UseAutofacWebApi(config);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
var options = new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["IdentityServer:Authority"],
AuthenticationType = "Bearer",
RequiredScopes = new[] { ConfigurationManager.AppSettings["IdentityServer:ApiScope"] },
};
app.UseIdentityServerBearerTokenAuthentication(options);
WebApiConfig.Register(config);
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
这应该授权我从应用程序发送的令牌,但是 授权应用于所有控制器,但我看到控制器的构造函数被命中但未调用操作,这是否意味着令牌验证工作正常? 但我看到我发送的权限也是正确的。
我在打开 katana 日志记录后收到以下错误:
IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider Information: 0 : Error returned from token validation endpoint: Not Found Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : invalid bearer token received
您需要 ClientId 和 Client Secret - Api 是一种资源,但由于您使用的是引用令牌,因此您需要这样的东西:
{
Authority = "https://idsrvurl:44333/core",
RequiredScopes = new[] { "api1" },
ClientId = "api1",
ClientSecret = "secret"
});
我在这个问题上花了很多时间。上面列出的解决方案在许多其他文章中都有,但它对我不起作用。
我为 Katana 添加了跟踪功能,这对我帮助很大。我补充说:
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="Microsoft.Owin">
<listeners>
<add name="KatanaListener" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="KatanaListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="katana.trace.log" traceOutputOptions="ProcessId, DateTime" />
</sharedListeners>
<switches>
<add name="Microsoft.Owin" value="Verbose" />
</switches>
搜索这些错误,我发现这篇文章解决了我的问题:https://github.com/IdentityServer/IdentityServer4/issues/3705
我必须更改我的 IdServer4,以便它使用 JWT 令牌而不是 at+jwt。我还启用了 EmitLegacyResourceAudienceClaim。
后来我将 IdentityServer3.Contrib.AccessTokenValidation 添加到我的 webapi,以便它接受 JWT (at+jwt) 的显式输入。