IdentityServer4: "code challenge required" 在混合流下
IdentityServer4: "code challenge required" under hybrid flow
我有一个 MVC 客户端正在访问受 IDS4 服务器保护的 Web API。当我使用 ResponseType = "code" 时它工作得很好。但是,当我将其更改为 ResponseType = "code id_token"(混合流)时,我开始收到此“抱歉,出现错误:invalid_request 需要代码挑战”错误。
这是我在 IDS4 端的客户端配置:
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequirePkce = false,
//AllowedGrantTypes = GrantTypes.Code,
RedirectUris = { "https://localhost:6009/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:6009/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"roles",
"MyAPI"
}
这里是MVC客户端的配置。请注意,正是 'options.ResponseType = "code id_token"' 导致了错误的发生。如果我改用“代码”就不会出错。
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:6005";
options.ClientId = "mvc";
options.ClientSecret = "secret";
//options.ResponseType = "code";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Add("profile");
options.Scope.Add("email");
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("roles");
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters.RoleClaimType = "role";
options.Scope.Add("MyAPI");
options.Scope.Add("offline_access");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
这是日志中的内容:
[2021-03-12T15:25:51.014Z] [4] [Error] Request validation failed
[2021-03-12T15:25:51.013Z] [4] [Error] code_challenge is missing
{
"ClientId": "mvc",
"RedirectUri": "https://localhost:6009/signin-oidc",
"AllowedRedirectUris": [
"https://localhost:6009/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "fragment",
"GrantType": "hybrid",
"RequestedScopes": "",
"State": "CfDJ....8oxh4",
"PromptMode": "",
"Raw": {
"client_id": "mvc",
"redirect_uri": "https://localhost:6009/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email roles MyAPIoffline_access",
"response_mode": "form_post",
"nonce": "637511...lOGNh",
"state": "CfDJ8...8oxh4",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
顺便说一下,我正在测试混合流程,因为我试图让 Windows 身份验证在 IDS4 下工作。我的本地登录有效但无效 Windows。一些资源说为此需要混合流。有人能告诉我我做错了什么吗?
可能是 IdentityServer 总是需要 PKCE,这就是为什么当您没有提供必要的质询时它会抱怨的原因。
多米尼克写道 here:
Code flow without PKCE is vulnerable to code injection attacks. That's why we do not expose it.
在客户端中添加代码 challenge/verifier 并不那么复杂。
以下是我在培训中介绍 OAuth 2.1 的方式 类:
我有一个 MVC 客户端正在访问受 IDS4 服务器保护的 Web API。当我使用 ResponseType = "code" 时它工作得很好。但是,当我将其更改为 ResponseType = "code id_token"(混合流)时,我开始收到此“抱歉,出现错误:invalid_request 需要代码挑战”错误。
这是我在 IDS4 端的客户端配置:
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequirePkce = false,
//AllowedGrantTypes = GrantTypes.Code,
RedirectUris = { "https://localhost:6009/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:6009/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"roles",
"MyAPI"
}
这里是MVC客户端的配置。请注意,正是 'options.ResponseType = "code id_token"' 导致了错误的发生。如果我改用“代码”就不会出错。
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:6005";
options.ClientId = "mvc";
options.ClientSecret = "secret";
//options.ResponseType = "code";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Add("profile");
options.Scope.Add("email");
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("roles");
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters.RoleClaimType = "role";
options.Scope.Add("MyAPI");
options.Scope.Add("offline_access");
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
这是日志中的内容:
[2021-03-12T15:25:51.014Z] [4] [Error] Request validation failed
[2021-03-12T15:25:51.013Z] [4] [Error] code_challenge is missing
{
"ClientId": "mvc",
"RedirectUri": "https://localhost:6009/signin-oidc",
"AllowedRedirectUris": [
"https://localhost:6009/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "fragment",
"GrantType": "hybrid",
"RequestedScopes": "",
"State": "CfDJ....8oxh4",
"PromptMode": "",
"Raw": {
"client_id": "mvc",
"redirect_uri": "https://localhost:6009/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile email roles MyAPIoffline_access",
"response_mode": "form_post",
"nonce": "637511...lOGNh",
"state": "CfDJ8...8oxh4",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.5.0.0"
}
}
顺便说一下,我正在测试混合流程,因为我试图让 Windows 身份验证在 IDS4 下工作。我的本地登录有效但无效 Windows。一些资源说为此需要混合流。有人能告诉我我做错了什么吗?
可能是 IdentityServer 总是需要 PKCE,这就是为什么当您没有提供必要的质询时它会抱怨的原因。
多米尼克写道 here:
Code flow without PKCE is vulnerable to code injection attacks. That's why we do not expose it.
在客户端中添加代码 challenge/verifier 并不那么复杂。
以下是我在培训中介绍 OAuth 2.1 的方式 类: