UnauthorizedError: jwt audience invalid. expected:
UnauthorizedError: jwt audience invalid. expected:
我正在尝试使用 IdentityServer4 来保护我的节点API。
export const jwtauth = jwt({
secret: jwksClient.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 2,
jwksUri: `${identity_authority}/.well-known/openid-configuration/jwks`
}),
// validate the audience & issuer from received token vs JWKS endpoint
audience:'projectapi',
issuer: `${identity_authority}`,
algorithms: ['RS256']
})
我认为我做的一切都是正确的,但是当我从 Web 应用程序调用 API 时,我收到此错误:
UnauthorizedError: jwt audience invalid. expected: projectapi
根据我所做的所有研究,有人建议将观众更改为 aud: 'projectapi'
,我试过它没有用。
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientId = "portal",
ClientName = "portal",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List<string> {
"https://url/oidc-callback",
"https://url/oidc-silent-renew.html"
},
PostLogoutRedirectUris = { "https://url/logout" },
AllowedCorsOrigins = new List<string> { "https://url" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"authenticationapi",
"projectapi",
"workflowapi"
}
}
};
}
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("authenticationapi", "Authentication API"),
new ApiScope("projectapi", "Project API"),
new ApiScope("workflowapi", "Project Workflow API")
};
access_token:
{
"nbf": 1597959828,
"exp": 1597960728,
"iss": "https://url",
"aud": "https://url/resources",
"client_id": "portal",
"sub": "183d2e05-3c19-44c0-a8c5-bfa29320b10b",
"auth_time": 1597959828,
"idp": "local",
"email": "text@email.com",
"name": "text@email.com",
"family_name": "test",
"given_name": "test",
"role": "User",
"jti": "5CD7A8058DAE31615529A0EBCC7334E2",
"sid": "BA53399482221C789A1BB07F393C2806",
"iat": 1597959828,
"scope": [
"openid",
"profile",
"email",
"projectapi",
"workflowapi",
"authenticationapi"
],
"amr": [
"pwd"
]
}
您已经创建了 API 个范围,但我在您的代码中没有看到任何 API 资源。
请添加名为 projectapi 的 API 资源。
对于identityserver4的实现你可以参考here
public static IEnumerable<APIResource> getApiResource(){
return new []{
new APIResource {
Name = "projectapi",
DisplayName = "Api",
Description = "your description",
Scopes = new List<string> {//add your scopes here},
ApiSecrets = new List<Secret> {new Secret("secretpassword".Sha256())},
UserClaims = new List<string> {//user claims}
}
}
}
在Startup.cs的内存中也添加此资源:
.AddInMemoryApiResources(//call the function created above);
在添加所有内存客户端和 Api 范围的地方添加这一行
我正在尝试使用 IdentityServer4 来保护我的节点API。
export const jwtauth = jwt({
secret: jwksClient.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 2,
jwksUri: `${identity_authority}/.well-known/openid-configuration/jwks`
}),
// validate the audience & issuer from received token vs JWKS endpoint
audience:'projectapi',
issuer: `${identity_authority}`,
algorithms: ['RS256']
})
我认为我做的一切都是正确的,但是当我从 Web 应用程序调用 API 时,我收到此错误:
UnauthorizedError: jwt audience invalid. expected: projectapi
根据我所做的所有研究,有人建议将观众更改为 aud: 'projectapi'
,我试过它没有用。
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientId = "portal",
ClientName = "portal",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List<string> {
"https://url/oidc-callback",
"https://url/oidc-silent-renew.html"
},
PostLogoutRedirectUris = { "https://url/logout" },
AllowedCorsOrigins = new List<string> { "https://url" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"authenticationapi",
"projectapi",
"workflowapi"
}
}
};
}
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("authenticationapi", "Authentication API"),
new ApiScope("projectapi", "Project API"),
new ApiScope("workflowapi", "Project Workflow API")
};
access_token:
{
"nbf": 1597959828,
"exp": 1597960728,
"iss": "https://url",
"aud": "https://url/resources",
"client_id": "portal",
"sub": "183d2e05-3c19-44c0-a8c5-bfa29320b10b",
"auth_time": 1597959828,
"idp": "local",
"email": "text@email.com",
"name": "text@email.com",
"family_name": "test",
"given_name": "test",
"role": "User",
"jti": "5CD7A8058DAE31615529A0EBCC7334E2",
"sid": "BA53399482221C789A1BB07F393C2806",
"iat": 1597959828,
"scope": [
"openid",
"profile",
"email",
"projectapi",
"workflowapi",
"authenticationapi"
],
"amr": [
"pwd"
]
}
您已经创建了 API 个范围,但我在您的代码中没有看到任何 API 资源。
请添加名为 projectapi 的 API 资源。
对于identityserver4的实现你可以参考here
public static IEnumerable<APIResource> getApiResource(){
return new []{
new APIResource {
Name = "projectapi",
DisplayName = "Api",
Description = "your description",
Scopes = new List<string> {//add your scopes here},
ApiSecrets = new List<Secret> {new Secret("secretpassword".Sha256())},
UserClaims = new List<string> {//user claims}
}
}
}
在Startup.cs的内存中也添加此资源:
.AddInMemoryApiResources(//call the function created above);
在添加所有内存客户端和 Api 范围的地方添加这一行