根据验证程序,远程证书无效(身份服务器托管在 azure 中)
remote certificate is invalid according to the validation procedure (Identity server Hosted in azure)
我尝试了很多,现在把它放在这里..所以我有一个应用程序服务,其中 API 身份服务器和 UI(Blazor) 托管在同一应用程序服务内的不同文件夹中现在我生成了 rsa 签名证书
[https://damienbod.com/2020/02/10/create-certificates-for-identityserver4-signing-using-net-core/](本博客post)
现在,即使我将托管身份服务器设置为提供者和本地主机(UI 和 Web API),在开发中一切正常
但是当我尝试访问托管 API 它的抛出错误(在日志中)并且我得到 401
如有任何帮助,我们将不胜感激
还有
我的身份服务器启动看起来像这样
public void ConfigureServices(IServiceCollection services)
{
var settings = config.GetSection("AppSettings").Get<AppSettings>();
X509Certificate2 rsaCertificate = null;
if (env.IsDevelopment())
{
rsaCertificate = new X509Certificate2(
Path.Combine(env.WebRootPath, "cert/rsaCert.pfx"), "password");
}
else
{
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
settings.CertificateDetails.CertificateThumbPrint,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
rsaCertificate = certCollection[0];
}
}
}
var connectionString = config.GetConnectionString("DefaultConnection");
services.AddOidcStateDataFormatterCache();
services.AddDbContext<SeatingDBContext>(x =>
{
x.UseSqlServer(connectionString);
});
services.AddIdentity<ApplicationUser, ApplicationRole>(x =>
{
x.Password.RequiredLength = 4;
x.Password.RequireDigit = false;
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<SeatingDBContext>().
AddDefaultTokenProviders();
services.ConfigureApplicationCookie(x =>
{
x.Cookie.Name = "IdentityServer.Cookie";
x.LoginPath = "/Auth/Login";
});
var assembly = typeof(Startup).Assembly.GetName().Name;
services.AddIdentityServer(x =>
{
x.Events.RaiseErrorEvents = true;
x.Events.RaiseFailureEvents = true;
x.Events.RaiseSuccessEvents = true;
x.Events.RaiseInformationEvents = true;
}).AddAspNetIdentity<ApplicationUser>()
.AddInMemoryIdentityResources(Configuration.GetIdentityResources())
.AddInMemoryApiScopes(Configuration.GetApiScopes())
.AddInMemoryApiResources(Configuration.GetApis())
.AddInMemoryClients(Configuration.GetClients(settings.ClientApps))
.AddSigningCredential(rsaCertificate);
// .AddValidationKey(rsaCertificate);
services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));
services.AddTransient<IUserSyncService, UserSyncService>();
services.AddControllersWithViews();
}
我的网站 API 看起来像这样
public void ConfigureServices(IServiceCollection services)
{
var connectionString = Configuration.GetConnectionString("DefaultConnection");
var settings = Configuration.GetSection("AppSettings").Get<AppSettings>();
services.AddControllers();
services.AddDbContext<SeatingDBContext>(x => x.UseSqlServer(connectionString));
services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));
services.AddAutoMapper(typeof(Startup));
services.AddScoped<IEmailService, EmailService>();
services.AddSingleton<IEmailConfiguration>(settings.EmailConfiguration);
services.AddScoped<MailSender>();
services.AddControllers();
services.AddIdentityForWebApi<ApplicationUser, ApplicationRole>(x =>
{
x.Password.RequiredLength = 4;
x.Password.RequireDigit = false;
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<SeatingDBContext>();
services.AddAuthentication(defaultScheme:"Bearer")
.AddIdentityServerAuthentication("Bearer", config =>
{
config.Authority = settings.ODICSettings.Authority;
config.ApiName = settings.ODICSettings.Audience;
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiScope", policy =>
{
policy.RequireAuthenticatedUser();
foreach (string scope in settings.ODICSettings.scope)
policy.RequireClaim("scope", scope);
});
});
}
您不能将签名证书用作 HTTPS Web 证书。签名证书仅在 IdentityServer 签署 JWT 令牌时使用。
您需要从受信任的提供商(如 Lets Encrypt)获取真实证书并将其作为 TLS/HTTPS 证书单独安装。
签名证书和TLS/HTTPS证书是不同的东西,都需要正确配置。
我尝试了很多,现在把它放在这里..所以我有一个应用程序服务,其中 API 身份服务器和 UI(Blazor) 托管在同一应用程序服务内的不同文件夹中现在我生成了 rsa 签名证书
[https://damienbod.com/2020/02/10/create-certificates-for-identityserver4-signing-using-net-core/](本博客post)
现在,即使我将托管身份服务器设置为提供者和本地主机(UI 和 Web API),在开发中一切正常
但是当我尝试访问托管 API 它的抛出错误(在日志中)并且我得到 401
如有任何帮助,我们将不胜感激
还有
我的身份服务器启动看起来像这样
public void ConfigureServices(IServiceCollection services)
{
var settings = config.GetSection("AppSettings").Get<AppSettings>();
X509Certificate2 rsaCertificate = null;
if (env.IsDevelopment())
{
rsaCertificate = new X509Certificate2(
Path.Combine(env.WebRootPath, "cert/rsaCert.pfx"), "password");
}
else
{
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
settings.CertificateDetails.CertificateThumbPrint,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
rsaCertificate = certCollection[0];
}
}
}
var connectionString = config.GetConnectionString("DefaultConnection");
services.AddOidcStateDataFormatterCache();
services.AddDbContext<SeatingDBContext>(x =>
{
x.UseSqlServer(connectionString);
});
services.AddIdentity<ApplicationUser, ApplicationRole>(x =>
{
x.Password.RequiredLength = 4;
x.Password.RequireDigit = false;
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<SeatingDBContext>().
AddDefaultTokenProviders();
services.ConfigureApplicationCookie(x =>
{
x.Cookie.Name = "IdentityServer.Cookie";
x.LoginPath = "/Auth/Login";
});
var assembly = typeof(Startup).Assembly.GetName().Name;
services.AddIdentityServer(x =>
{
x.Events.RaiseErrorEvents = true;
x.Events.RaiseFailureEvents = true;
x.Events.RaiseSuccessEvents = true;
x.Events.RaiseInformationEvents = true;
}).AddAspNetIdentity<ApplicationUser>()
.AddInMemoryIdentityResources(Configuration.GetIdentityResources())
.AddInMemoryApiScopes(Configuration.GetApiScopes())
.AddInMemoryApiResources(Configuration.GetApis())
.AddInMemoryClients(Configuration.GetClients(settings.ClientApps))
.AddSigningCredential(rsaCertificate);
// .AddValidationKey(rsaCertificate);
services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));
services.AddTransient<IUserSyncService, UserSyncService>();
services.AddControllersWithViews();
}
我的网站 API 看起来像这样
public void ConfigureServices(IServiceCollection services)
{
var connectionString = Configuration.GetConnectionString("DefaultConnection");
var settings = Configuration.GetSection("AppSettings").Get<AppSettings>();
services.AddControllers();
services.AddDbContext<SeatingDBContext>(x => x.UseSqlServer(connectionString));
services.AddScoped(typeof(IRepository<,>), typeof(Repository<,>));
services.AddAutoMapper(typeof(Startup));
services.AddScoped<IEmailService, EmailService>();
services.AddSingleton<IEmailConfiguration>(settings.EmailConfiguration);
services.AddScoped<MailSender>();
services.AddControllers();
services.AddIdentityForWebApi<ApplicationUser, ApplicationRole>(x =>
{
x.Password.RequiredLength = 4;
x.Password.RequireDigit = false;
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
}).AddEntityFrameworkStores<SeatingDBContext>();
services.AddAuthentication(defaultScheme:"Bearer")
.AddIdentityServerAuthentication("Bearer", config =>
{
config.Authority = settings.ODICSettings.Authority;
config.ApiName = settings.ODICSettings.Audience;
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiScope", policy =>
{
policy.RequireAuthenticatedUser();
foreach (string scope in settings.ODICSettings.scope)
policy.RequireClaim("scope", scope);
});
});
}
您不能将签名证书用作 HTTPS Web 证书。签名证书仅在 IdentityServer 签署 JWT 令牌时使用。
您需要从受信任的提供商(如 Lets Encrypt)获取真实证书并将其作为 TLS/HTTPS 证书单独安装。
签名证书和TLS/HTTPS证书是不同的东西,都需要正确配置。