OpenIddict 支持通过邮递员的 GET 请求返回授权码
OpenIddict support returning authorization code via GET request for postman
我已经使用 OpenIddict 3.1.1 设置了一个授权服务器(移植到一个直接使用旧版 ASOS 包的现有服务器)。我相信我已经完成了大部分工作,因为在使用客户端应用程序时,我能够登录、同意、重定向回客户端,并用授权代码交换访问令牌。
但是,当我尝试使用 Postman 的 OAuth 2.0 身份验证支持执行相同操作时,我能够登录(并表示同意),但是当它完成并且 returns 授权代码时,我收到了一个来自 https://oauth.pstmn.io/v1/callback 的 HTTP 403,我被重定向到:
403 ERROR
The request could not be satisfied.
This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
Request ID: UAXpago6ISiqbgm9U_SVPwh96qz1qoveZWFd0Cra-2FximeWZiY2aQ==
据我所知,这是因为 OpenIddict 正在向回调 url 发出 POST 请求。这适用于我的客户端应用程序,但显然不受 Postman 支持。
我需要对 OpenIddict 进行哪些配置调整才能在邮递员中支持此功能?
OpenIddict 相关配置在Startup.ConfigureServices:
services.AddOpenIddict()
.AddCore(options => {
options.AddApplicationStore<ClientStore>();
options.UseEntityFramework()
.UseDbContext<OAuthServerDbContext>()
.ReplaceDefaultEntities<Client, Authorization, OAuthScope, Token, long>()
;
})
.AddServer(options => {
options.RegisterClaims();
options.RegisterScopes(OpenIddictConstants.Scopes.OpenId,
OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Profile,
"user");
// flows
options.AllowAuthorizationCodeFlow();
options.AllowRefreshTokenFlow();
options.AllowPasswordFlow();
options.AllowHybridFlow();
// implicit is used by postman
options.AllowImplicitFlow();
var serviceProvider = options.Services.BuildServiceProvider();
var oauthConstants = serviceProvider.GetRequiredService<IOptions<OAuthConstants>>().Value;
var tokenLifetimes = serviceProvider
.GetRequiredService<IOptions<OpenIdConnectServerTokenLifetimeSettings>>().Value;
// security
options.SetAccessTokenLifetime(tokenLifetimes.AccessTokenLifetime)
.SetAuthorizationCodeLifetime(tokenLifetimes.AuthorizationCodeLifetime)
.SetIdentityTokenLifetime(tokenLifetimes.IdentityTokenLifetime)
.SetRefreshTokenLifetime(tokenLifetimes.RefreshTokenLifetime);
options.SetIssuer(new Uri("https://localhost/oauth/"));
// custom handlers added here
options.AddEventHandlers();
// certificate details hidden
options.AddEncryptionCertificate(certificate);
// endpoints
options.SetAuthorizationEndpointUris("/OpenIdConnect/Authorize");
options.SetLogoutEndpointUris("/OpenIdConnect/Logout", "/Account/Logout");
options.SetRevocationEndpointUris("/OpenIdConnect/Revoke");
options.SetTokenEndpointUris("/OpenIdConnect/Token");
options.SetCryptographyEndpointUris("/OpenIdConnect/JWKDoc");
options.SetUserinfoEndpointUris("/OpenIdConnect/UserInfo");
options.UseAspNetCore()
.EnableStatusCodePagesIntegration()
.EnableAuthorizationEndpointPassthrough()
//.EnableTokenEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
;
})
.AddValidation(options => {
options.UseLocalServer();
options.UseAspNetCore();
var serviceProvider = options.Services.BuildServiceProvider();
var config = serviceProvider.GetRequiredService<IConfiguration>();
options.SetClientId(config.GetValue<string>(nameof(Settings.OAuthClientId)));
options.SetClientSecret(config.GetValue<string>(nameof(Settings.ClientSecret)));
// certificate details hidden
options.AddEncryptionCertificate(certificate);
});
邮递员详细信息:
Authorization
Token Name: Redacted
Grant Type: Authorization Code
Callback URL: disabled, https://oauth.pstmn.io/v1/callback
Authorize using browser: checked
Auth URL: https://localhost/oauth/OpenIdConnect/Authorize
Access Token URL: https://localhost/oauth/OpenIdConnect/Token
Client ID: redacted, but correct
Client Secret: redacted, but correct
Scope: openid offline_access
State:
Client Authentication: Send client credentials in body
edit:它发送给 postman 回调 URI 的响应在正文中确实包含授权代码,但是由于 403 响应,Postman 没有解析它并发出后续请求来交换令牌代码。
您可以设置一个选项来控制授权码是在 URL 中作为查询字符串接收还是在正文中作为 post 接收。选项是 response_mode 并且您作为客户端控制它。
我相信如果它不设置为response_mode=form_post,那么您将获得URL中的代码。
查看此参数的详细信息here。
我已经使用 OpenIddict 3.1.1 设置了一个授权服务器(移植到一个直接使用旧版 ASOS 包的现有服务器)。我相信我已经完成了大部分工作,因为在使用客户端应用程序时,我能够登录、同意、重定向回客户端,并用授权代码交换访问令牌。
但是,当我尝试使用 Postman 的 OAuth 2.0 身份验证支持执行相同操作时,我能够登录(并表示同意),但是当它完成并且 returns 授权代码时,我收到了一个来自 https://oauth.pstmn.io/v1/callback 的 HTTP 403,我被重定向到:
403 ERROR The request could not be satisfied. This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Generated by cloudfront (CloudFront) Request ID: UAXpago6ISiqbgm9U_SVPwh96qz1qoveZWFd0Cra-2FximeWZiY2aQ==
据我所知,这是因为 OpenIddict 正在向回调 url 发出 POST 请求。这适用于我的客户端应用程序,但显然不受 Postman 支持。
我需要对 OpenIddict 进行哪些配置调整才能在邮递员中支持此功能?
OpenIddict 相关配置在Startup.ConfigureServices:
services.AddOpenIddict()
.AddCore(options => {
options.AddApplicationStore<ClientStore>();
options.UseEntityFramework()
.UseDbContext<OAuthServerDbContext>()
.ReplaceDefaultEntities<Client, Authorization, OAuthScope, Token, long>()
;
})
.AddServer(options => {
options.RegisterClaims();
options.RegisterScopes(OpenIddictConstants.Scopes.OpenId,
OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.OfflineAccess,
OpenIddictConstants.Scopes.Profile,
"user");
// flows
options.AllowAuthorizationCodeFlow();
options.AllowRefreshTokenFlow();
options.AllowPasswordFlow();
options.AllowHybridFlow();
// implicit is used by postman
options.AllowImplicitFlow();
var serviceProvider = options.Services.BuildServiceProvider();
var oauthConstants = serviceProvider.GetRequiredService<IOptions<OAuthConstants>>().Value;
var tokenLifetimes = serviceProvider
.GetRequiredService<IOptions<OpenIdConnectServerTokenLifetimeSettings>>().Value;
// security
options.SetAccessTokenLifetime(tokenLifetimes.AccessTokenLifetime)
.SetAuthorizationCodeLifetime(tokenLifetimes.AuthorizationCodeLifetime)
.SetIdentityTokenLifetime(tokenLifetimes.IdentityTokenLifetime)
.SetRefreshTokenLifetime(tokenLifetimes.RefreshTokenLifetime);
options.SetIssuer(new Uri("https://localhost/oauth/"));
// custom handlers added here
options.AddEventHandlers();
// certificate details hidden
options.AddEncryptionCertificate(certificate);
// endpoints
options.SetAuthorizationEndpointUris("/OpenIdConnect/Authorize");
options.SetLogoutEndpointUris("/OpenIdConnect/Logout", "/Account/Logout");
options.SetRevocationEndpointUris("/OpenIdConnect/Revoke");
options.SetTokenEndpointUris("/OpenIdConnect/Token");
options.SetCryptographyEndpointUris("/OpenIdConnect/JWKDoc");
options.SetUserinfoEndpointUris("/OpenIdConnect/UserInfo");
options.UseAspNetCore()
.EnableStatusCodePagesIntegration()
.EnableAuthorizationEndpointPassthrough()
//.EnableTokenEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
;
})
.AddValidation(options => {
options.UseLocalServer();
options.UseAspNetCore();
var serviceProvider = options.Services.BuildServiceProvider();
var config = serviceProvider.GetRequiredService<IConfiguration>();
options.SetClientId(config.GetValue<string>(nameof(Settings.OAuthClientId)));
options.SetClientSecret(config.GetValue<string>(nameof(Settings.ClientSecret)));
// certificate details hidden
options.AddEncryptionCertificate(certificate);
});
邮递员详细信息:
Authorization Token Name: Redacted Grant Type: Authorization Code Callback URL: disabled, https://oauth.pstmn.io/v1/callback Authorize using browser: checked Auth URL: https://localhost/oauth/OpenIdConnect/Authorize Access Token URL: https://localhost/oauth/OpenIdConnect/Token Client ID: redacted, but correct Client Secret: redacted, but correct Scope: openid offline_access State: Client Authentication: Send client credentials in body
edit:它发送给 postman 回调 URI 的响应在正文中确实包含授权代码,但是由于 403 响应,Postman 没有解析它并发出后续请求来交换令牌代码。
您可以设置一个选项来控制授权码是在 URL 中作为查询字符串接收还是在正文中作为 post 接收。选项是 response_mode 并且您作为客户端控制它。
我相信如果它不设置为response_mode=form_post,那么您将获得URL中的代码。
查看此参数的详细信息here。