使用 OpenIdDict 时不允许 'offline_access' 范围
The 'offline_access' scope is not allowed when using OpenIdDict
使用 Asp.Net Core 5.0 with Identity 和 OpenIdDict 我有以下内容:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
我有以下客户:
OpenIddictApplicationDescriptor spa = new OpenIddictApplicationDescriptor {
ClientId = "spa",
ClientSecret = "secret",
ConsentType = OpenIddictConstants.ConsentTypes.Implicit,
PostLogoutRedirectUris = {
new Uri("https://localhost:5002/oidc-signout")
},
RedirectUris = {
new Uri("https://localhost:5002/oidc-signin"),
new Uri("https://localhost:5002/oidc-silent-refresh")
},
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.ResponseTypes.Code,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + "api"
},
Requirements = {
OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange
}
};
在 Angular Spa 客户端应用程序上,我使用的配置是:
const settings: UserManagerSettings = {
automaticSilentRenew: true,
authority: "https://localhost:5000",
client_id: 'spa',
client_secret: 'secret',
filterProtocolClaims: true,
loadUserInfo: true,
post_logout_redirect_uri: "https://localhost:5002/oidc-signout",
redirect_uri: "https://localhost:5002/oidc-signin",
response_mode: 'query',
response_type: 'code',
scope: 'openid profile email offline_access api',
silent_redirect_uri: 'https://localhost:5002/oidc-silent-refresh'
};
当我点击 SPA 登录时,我被重定向并收到错误:
The 'offline_access' scope is not allowed.
如果我在没有 'offline_access' 的情况下使用它,那么一切正常,例如:
scope: 'openid profile email api'
我错过了什么?
在可以使用 offline_access 范围之前,应启用刷新令牌流。
在您的 Startup.cs 中,您应该更改此行:
x.AllowAuthorizationCodeFlow();
变成这样的东西:
x.AllowAuthorizationCodeFlow().AllowRefreshTokenFlow();
还有一个 GitHub issue 与您的问题有关。
使用 Asp.Net Core 5.0 with Identity 和 OpenIdDict 我有以下内容:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
我有以下客户:
OpenIddictApplicationDescriptor spa = new OpenIddictApplicationDescriptor {
ClientId = "spa",
ClientSecret = "secret",
ConsentType = OpenIddictConstants.ConsentTypes.Implicit,
PostLogoutRedirectUris = {
new Uri("https://localhost:5002/oidc-signout")
},
RedirectUris = {
new Uri("https://localhost:5002/oidc-signin"),
new Uri("https://localhost:5002/oidc-silent-refresh")
},
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.ResponseTypes.Code,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + "api"
},
Requirements = {
OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange
}
};
在 Angular Spa 客户端应用程序上,我使用的配置是:
const settings: UserManagerSettings = {
automaticSilentRenew: true,
authority: "https://localhost:5000",
client_id: 'spa',
client_secret: 'secret',
filterProtocolClaims: true,
loadUserInfo: true,
post_logout_redirect_uri: "https://localhost:5002/oidc-signout",
redirect_uri: "https://localhost:5002/oidc-signin",
response_mode: 'query',
response_type: 'code',
scope: 'openid profile email offline_access api',
silent_redirect_uri: 'https://localhost:5002/oidc-silent-refresh'
};
当我点击 SPA 登录时,我被重定向并收到错误:
The 'offline_access' scope is not allowed.
如果我在没有 'offline_access' 的情况下使用它,那么一切正常,例如:
scope: 'openid profile email api'
我错过了什么?
在可以使用 offline_access 范围之前,应启用刷新令牌流。
在您的 Startup.cs 中,您应该更改此行:
x.AllowAuthorizationCodeFlow();
变成这样的东西:
x.AllowAuthorizationCodeFlow().AllowRefreshTokenFlow();
还有一个 GitHub issue 与您的问题有关。