IdentityServer3 - UserInfo 端点获取无效令牌

IdentityServer3 - UserInfo endpoint gets invalid token

我是 IdentityServer3 的新手,刚刚开始设置它。它似乎进展顺利,我一直在为类似于 Kevin Dockx 的 Pluralsight 课程中所示的 MVC 应用程序开发混合流程(http://www.pluralsight.com/courses/building-securing-restful-api-aspdotnet)-- 我正在使用自定义用户服务。

从 MVC 应用程序到我的身份服务器的身份验证效果很好,但是当我调用 userinfo 端点时,我总是得到一个未经授权的消息,响应中的 Bearer 是 "invalid token"。

我正在传递从原始 OpenIdConnectAuthentication 调用返回的访问令牌,它在 JWT 调试器中解码为以下内容:

{
  "client_id": "mvc",
  "scope": [
    "openid",
    "profile",
    "actioncenter"
  ],
 "sub": "erik",
 "amr": "password",
 "auth_time": 1437591012,
 "idp": "idsrv",
 "iss": "https://id.local/",
 "aud": "https://id.local/resources",
 "exp": 1437594614,
 "nbf": 1437591014
}

我还注意到返回的响应内容类似于 "RunToCompletion"。我已经从 Github 下载了源代码以查看调试的可能性,并怀疑它比我 运行 (1.6.2).

的 NuGet 包更新。

我怀疑我做错了什么,但我还没有看到。任何帮助将不胜感激。

我已经包含了我认为相关的代码。

来自 ID 服务器:

static class Clients
{
    public static List<Client> Get()
    {
        return new List<Client>
        {                
            new Client
            {
                ClientName = "MVC Client",
                ClientId = "mvc",
                Enabled = true,
                RequireConsent = true,

                RedirectUris = new List<string>     
                                   { "https://localhost:44300/" },
                AccessTokenType = AccessTokenType.Jwt,

                Flow = Flows.Hybrid,
                ScopeRestrictions = new List<string>()
                {
                    Constants.StandardScopes.OpenId,
                    Constants.StandardScopes.Profile,                       
                    "actioncenter"
                }

            }
        };
    }
static class Scopes
{
    public static List<Scope> Get()
    {
        return new List<Scope>
        {
            //identity scopes
            StandardScopes.OpenId,
            StandardScopes.Profile,
            //StandardScopes.EmailAlwaysInclude,
            //StandardScopes.PhoneAlwaysInclude,
            StandardScopes.Roles,

            //resource scopes
            new Scope
            {
                Name = "actioncenter",
                Type = ScopeType.Resource,
                Emphasize = false,
                Enabled = true,
                DisplayName = "Action Center"                    
            }
        };
    }
public class NwpIdentityUserService : IUserService
{
    public class CustomUser
    {
        public string Subject { get; set; }  // identifier for user
        public string Provider { get; set; } // provider name that did the auth for the user
        public string ProviderId { get; set; } // userid from the provider for this user
        public List<Claim> Claims { get; set; }
    }

    public Task<AuthenticateResult> PreAuthenticateAsync(SignInMessage message)
    {
        return Task.FromResult<AuthenticateResult>(null);
    }

    public Task<AuthenticateResult> AuthenticateLocalAsync(string username, string password, SignInMessage message)
    {
        AuthenticateResult result;

        if (username != password)
            result = new AuthenticateResult("Invalid username/password");
        else
            result = new AuthenticateResult(username, "erik", new List<Claim> { new Claim("role", "writer") });

        return Task.FromResult(result);
    }

    public Task<AuthenticateResult> AuthenticateExternalAsync(ExternalIdentity externalUser, SignInMessage message)
    {
        //var ourUserId = GetOurUserId()
        // LOGIC:
        // From the information in externalUser, determine our user ID
        // Assuming valid, return a new authenticate result with the nwp user name, claims, etc.

        return Task.FromResult<AuthenticateResult>(null);
    }

    public Task SignOutAsync(ClaimsPrincipal subject)
    {
        return Task.FromResult(0);
    }

    public Task<IEnumerable<Claim>> GetProfileDataAsync(ClaimsPrincipal subject, IEnumerable<string> requestedClaimTypes = null)
    {
        var nwpUserId = GetOurUserId(subject);
        if (nwpUserId == null)
            return Task.FromResult<IEnumerable<Claim>>(null);

        var claims = GetOurClaimsForUser(nwpUserId);
        return Task.FromResult(claims.Where(a => requestedClaimTypes.Contains(a.Type)));
    }

    private List<Claim> GetOurClaimsForUser(int? ourUserId)
    {
        var claims = new List<Claim>();
        claims.Add(new Claim("role", "basicuser"));

        return claims;
    }

    public Task<bool> IsActiveAsync(ClaimsPrincipal subject)
    {
        return Task.FromResult(GetOurUserId(subject) != null);
    }

    private int? GetOurUserId(ClaimsPrincipal subject)
    {
        var userclaim = subject.Claims.FirstOrDefault(a => a.Type == "name");
        if (userclaim == null)
            return null;

        return 123;
    }
}

以下是来自 MVC 客户端应用程序的相关代码 - response.StatusCode 始终未经授权,带有下面的 "invalid token" 承载消息:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            ClientId = "mvc",
            Authority = "https://id.local/identity/",
            RedirectUri = "https://localhost:44300/",
            SignInAsAuthenticationType = "Cookies",
            ResponseType = "code id_token token",
            Scope = "openid profile actioncenter",

            Notifications = new OpenIdConnectAuthenticationNotifications()
            {
                MessageReceived = async n =>
                {
                    var userInfo = await GetUserInfoFromEndpoint(n.ProtocolMessage.AccessToken);
                }

            }
        });
    }

    private async Task<JObject> GetUserInfoFromEndpoint(string accessToken)
    {
        var client = new HttpClient();
        client.SetBearerToken(accessToken);

        var response = await client.GetAsync("https://id.local/identity/connect/userinfo");

        if (response.StatusCode == HttpStatusCode.OK)
        {
            var json = await response.Content.ReadAsStringAsync();
            return JObject.Parse(json);
        }
        var result = response.Content.ReadAsStringAsync();
        return null;
    }

}

根据 Ming 的建议查看 Thinktecture 日志后,我发现问题是框架正在调用 IsUserActiveAsync,并且由于我的模拟代码中的一个小错误而返回 false。当我修复它时,一切都开始工作了。