授权服务器不支持使用该方式获取token

The authorization server does not support obtaining a token using this method

我正在使用 ORY Hydra 作为授权服务器,我正在尝试在调用授权端点时获得 id_token 和 access_token。

我的客户端是这样创建的

docker run --rm oryd/hydra clients create --audience my-aud -c http://localhost:3000 -g implicit --id test_token -n "Test getting an id_token" -a api,offline,openid -r id_token,token --token-endpoint-auth-method client_secret_post --endpoint http://10.1.0.147:4445

现在,如果我使用 response_type=token 调用我的客户端,我只能在响应中获得访问令牌

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

我收到回复

#access_token=eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpmNTNhODI5Yi0wODFiLTQyMWItOTY3MS1kZWVkOGJlMTIxYzkiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiYXVkLWFwaSJdLCJjbGllbnRfaWQiOiJjb3JldGVjaF9jbGllbnQiLCJleHAiOjE1NjQwOTA3NDUsImV4dCI6eyJzdWJfaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciJ9LCJpYXQiOjE1NjQwODcxNDUsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDQ0NC8iLCJqdGkiOiJmZTA3Y2JjMC00Y2FiLTRkNjktYmNlYS05MzRhNzNhOTkxMzYiLCJuYmYiOjE1NjQwODcxNDUsInNjcCI6WyJhcGlfc2NvcGUiXSwic3ViIjoiOTU3ZTA4ZjYtZTgyMy00ZTBjLThkODAtZDU3NTM2NmNhYTgxIn0.r97Vp_tmVOMpar3OSiOhNEI6PxzLoKtHE6CEezVsteamf7_qOhP6pbIvW91D8EZutGUuG4sxaDpunNv22R9hVyIGqVHqssAPLk5k7f00_UNp4ZuSswHqPj7L1O2JOp6zx-Ybrs_XTy3qaH9Yt-ofB35Y95DTyIabTIbuCyz2q24soWbf7j3yhseU6OJYq66qnw2PyhhskUKlLiaWcapioH4vnKJwg2aq1G_NKTGnuM3-w7XjR0TWVUBk9UDYDl4yo_eZJ5gA71ew6g44eO-ubdpjS1ITbsS5Dda8-R8jvmooHnr8uS3yJ5vATnwgNMfSEwBMEvodeWLloj9w0pDUaj8-9X6MDDxXMitBYjRgMulQUc2J-bkZM0_I0V6gyrj2NY_T3wDR6vbDvGG9n2J-KRbzIp1UE3c_LOfeUyW0xNEksBTJkFBIcS5BY0L_PE8rdGeyJ9iHEIBpWYA7MZKymu2-o9qoBa_kTzMTKj_v98c_BEnnKs7-F1WqecO-YP6pPKX9rTBQhe-pf4iC4yeObngkPIcJE5j_TQlTyUwyW5LZJN2xJglGugeuAdS2LMh0MNuaeaFGttOobOS2pUaIbgdvKxV2oV3fxWPh5h8a7iEsJC4VD75CApQIc5l6EeMaHRLN2mAIodRP-Mae6ht9556X4ghloZ50v-WczGAvq3I&expires_in=3599&scope=api&state=n3vxns17tfx7xpkkm5v9dw0bb6565s8&token_type=bearer

但是,如果我现在在授权端点参数中包含 id_token

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=id_token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

同意后,出现如下错误

?error=unsupported_response_type&error_description=The+authorization+server+does+not+support+obtaining+a+token+using+this+method&state=k3g94uqdy5ippyakeohsrwkpkrm1uh

我在这里做错了什么?

错误=unsupported_response_type

这意味着 ory/hydra Openid Connect 提供商不支持您请求的响应类型。

并且只检查他们的 GIT repository, it is certified 以下配置文件,

The following OpenID profiles are certified:

  • Basic OpenID Provider (response types code)
  • Implicit OpenID Provider (response types id_token, id_token+token)
  • Hybrid OpenID Provider (response types code+id_token, code+id_token+token, code+token)

因此您需要相应地更改响应类型以匹配他们支持的内容。

无论如何请注意隐式和混合流。尽管它们由 OpenID Connect 规范定义,但不建议使用。取而代之的是使用授权代码流程(根据上述描述的基本 openid 提供程序。)