客户端的客户端密码验证失败,授权代码流中的客户端密码无效
Client secret validation failed for client, Invalid client secret on Authirization code flow
我在 Identity Server 4 中使用 OIDC 客户端 JS 并不断收到错误
Client secret validation failed for client, Invalid client secret
关于授权代码流,
Oidc 设置
private getClientSettings(): any {
return {
authority: "https://localhost:5001",
client_id: "Local",
redirect_uri: "https://localhost:5001/auth-callback",
post_logout_redirect_uri: "https://localhost:5001",
response_type: "code",
scope: "profile openid email IdentityPortal.API offline_access",
//filterProtocolClaims: environment.openID.filterProtocolClaims,
loadUserInfo: true,
monitorSession: true,
silent_redirect_uri: "https://localhost:5001/silent-reniew.html",
accessTokenExpiringNotificationTime: 20, //default 60
checkSessionInterval: 5000, //default 2000
silentRequestTimeout: 2000,
};
}
身份服务器 4 配置
public static IEnumerable<Client> GetClients()
{
// client credentials client
return new List<Client>
{
new Client
{
ClientId = "Local",
//ClientName = "Local",
AllowedCorsOrigins = new List<string> { "http://localhost:4200","https://localhost:4200" },
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime=86400,
RequireConsent = false,
UpdateAccessTokenClaimsOnRefresh = true,
RedirectUris = LocalRedirectUris(),
PostLogoutRedirectUris = LocalRedirectUris(),
AllowedScopes = AllowedScopes(),
AllowOfflineAccess = true,
}
};
}
从身份服务器登录
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
info: IdentityServer4.Events.DefaultEventService[0]
{
"Name": "Client Authentication Failure",
"Category": "Authentication",
"EventType": "Failure",
"Id": 1011,
"ClientId": "Local",
"Message": "Invalid client secret",
"ActivityId": "0HLVQDNPJELVT:00000015",
"TimeStamp": "2020-05-17T14:26:15Z",
"ProcessId": 11600,
"LocalIpAddress": "::1:5001",
"RemoteIpAddress": "::1"
}
fail: IdentityServer4.Validation.ClientSecretValidator[0]
Client secret validation failed for client: Local.
https://localhost:5001/connect/token
收到 400 个错误请求
Content-Type: application/x-www-form-urlencoded
表格数据
client_id: Local
code: Pu5XVqWcaOavZYWOJqy07gHU7WYJ3aCQ_NBkpzszLnA
redirect_uri: https%3A%2F%2Flocalhost%3A5001%2Fauth-callback
code_verifier: 7985598b08fe49c49c37e3ef9e909295aeacc16b1b904e8990d7438cc60edb377bd31ee6d466489bbde9c75170470048
grant_type: authorization_code
您根本不会将客户端机密用于基于 JavaScript 的单页应用程序 (SPA),例如 React。这是因为不能信任这些基于浏览器的应用程序可以安全地保守秘密。 SPA 的推荐方法是使用 PKCE 的授权代码流(非隐式)。你应该考虑实施它。
编辑:为此,您需要在客户端设置中设置 RequireClientSecret = false 和 RequirePkce = true。
我在 Identity Server 4 中使用 OIDC 客户端 JS 并不断收到错误
Client secret validation failed for client, Invalid client secret
关于授权代码流,
Oidc 设置
private getClientSettings(): any {
return {
authority: "https://localhost:5001",
client_id: "Local",
redirect_uri: "https://localhost:5001/auth-callback",
post_logout_redirect_uri: "https://localhost:5001",
response_type: "code",
scope: "profile openid email IdentityPortal.API offline_access",
//filterProtocolClaims: environment.openID.filterProtocolClaims,
loadUserInfo: true,
monitorSession: true,
silent_redirect_uri: "https://localhost:5001/silent-reniew.html",
accessTokenExpiringNotificationTime: 20, //default 60
checkSessionInterval: 5000, //default 2000
silentRequestTimeout: 2000,
};
}
身份服务器 4 配置
public static IEnumerable<Client> GetClients()
{
// client credentials client
return new List<Client>
{
new Client
{
ClientId = "Local",
//ClientName = "Local",
AllowedCorsOrigins = new List<string> { "http://localhost:4200","https://localhost:4200" },
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime=86400,
RequireConsent = false,
UpdateAccessTokenClaimsOnRefresh = true,
RedirectUris = LocalRedirectUris(),
PostLogoutRedirectUris = LocalRedirectUris(),
AllowedScopes = AllowedScopes(),
AllowOfflineAccess = true,
}
};
}
从身份服务器登录
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
info: IdentityServer4.Events.DefaultEventService[0]
{
"Name": "Client Authentication Failure",
"Category": "Authentication",
"EventType": "Failure",
"Id": 1011,
"ClientId": "Local",
"Message": "Invalid client secret",
"ActivityId": "0HLVQDNPJELVT:00000015",
"TimeStamp": "2020-05-17T14:26:15Z",
"ProcessId": 11600,
"LocalIpAddress": "::1:5001",
"RemoteIpAddress": "::1"
}
fail: IdentityServer4.Validation.ClientSecretValidator[0]
Client secret validation failed for client: Local.
https://localhost:5001/connect/token
收到 400 个错误请求Content-Type: application/x-www-form-urlencoded
表格数据
client_id: Local
code: Pu5XVqWcaOavZYWOJqy07gHU7WYJ3aCQ_NBkpzszLnA
redirect_uri: https%3A%2F%2Flocalhost%3A5001%2Fauth-callback
code_verifier: 7985598b08fe49c49c37e3ef9e909295aeacc16b1b904e8990d7438cc60edb377bd31ee6d466489bbde9c75170470048
grant_type: authorization_code
您根本不会将客户端机密用于基于 JavaScript 的单页应用程序 (SPA),例如 React。这是因为不能信任这些基于浏览器的应用程序可以安全地保守秘密。 SPA 的推荐方法是使用 PKCE 的授权代码流(非隐式)。你应该考虑实施它。
编辑:为此,您需要在客户端设置中设置 RequireClientSecret = false 和 RequirePkce = true。