UnauthorizedError: jwt audience invalid. expected:

UnauthorizedError: jwt audience invalid. expected:

我正在尝试使用 IdentityServer4 来保护我的节点API。

export const jwtauth = jwt({
  secret: jwksClient.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 2,
    jwksUri: `${identity_authority}/.well-known/openid-configuration/jwks`
  }),

  // validate the audience & issuer from received token vs JWKS endpoint
  audience:'projectapi',
  issuer: `${identity_authority}`,
  algorithms: ['RS256']
})

我认为我做的一切都是正确的,但是当我从 Web 应用程序调用 API 时,我收到此错误:

UnauthorizedError: jwt audience invalid. expected: projectapi

根据我所做的所有研究,有人建议将观众更改为 aud: 'projectapi',我试过它没有用。

public static IEnumerable<Client> Clients =>
    new Client[]
    {
        new Client
        {
            ClientId = "portal",
            ClientName = "portal",

            AllowedGrantTypes = GrantTypes.Implicit,
            AllowAccessTokensViaBrowser = true,

            RequireConsent = false,

            RedirectUris = new List<string> {
                "https://url/oidc-callback",
                "https://url/oidc-silent-renew.html"
            },
            PostLogoutRedirectUris = { "https://url/logout" },
            AllowedCorsOrigins = new List<string> { "https://url" },

            AllowedScopes = new List<string>
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                IdentityServerConstants.StandardScopes.Email,
                "authenticationapi",
                "projectapi",
                "workflowapi"
            }
        }
    };
    }

public static IEnumerable<ApiScope> ApiScopes =>
            new List<ApiScope>
            {
                       new ApiScope("authenticationapi", "Authentication API"),
                       new ApiScope("projectapi", "Project API"),
                       new ApiScope("workflowapi", "Project Workflow API")
            };

access_token:

{
  "nbf": 1597959828,
  "exp": 1597960728,
  "iss": "https://url",
  "aud": "https://url/resources",
  "client_id": "portal",
  "sub": "183d2e05-3c19-44c0-a8c5-bfa29320b10b",
  "auth_time": 1597959828,
  "idp": "local",
  "email": "text@email.com",
  "name": "text@email.com",
  "family_name": "test",
  "given_name": "test",
  "role": "User",
  "jti": "5CD7A8058DAE31615529A0EBCC7334E2",
  "sid": "BA53399482221C789A1BB07F393C2806",
  "iat": 1597959828,
  "scope": [
    "openid",
    "profile",
    "email",
    "projectapi",
    "workflowapi",
    "authenticationapi"
  ],
  "amr": [
    "pwd"
  ]
}

您已经创建了 API 个范围,但我在您的代码中没有看到任何 API 资源。

请添加名为 projectapi 的 API 资源。

对于identityserver4的实现你可以参考here

public static IEnumerable<APIResource> getApiResource(){
    return new []{
        new APIResource {
            Name = "projectapi",
            DisplayName = "Api",
            Description = "your description",
            Scopes = new List<string> {//add your scopes here},
            ApiSecrets = new List<Secret> {new Secret("secretpassword".Sha256())},
            UserClaims = new List<string> {//user claims}
        }
    }
}

在Startup.cs的内存中也添加此资源:

.AddInMemoryApiResources(//call the function created above);

在添加所有内存客户端和 Api 范围的地方添加这一行