问题描述
在这个例子 AspNet.Security.OpenIdConnect.Server 看起来对我来说既是一种权威性和资源服务器。我想分开的。我已经这样做了。
在auth服务器的Startup.Config,我有以下设置:
app.UseOpenIdConnectServer(选项=> { options.AllowInsecureHttp = TRUE;
options.ApplicationCanDisplayErrors = TRUE;
options.AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.Issuer =新的System.Uri(HTTP://本地主机:61854); //这个auth服务器
options.Provider =新AuthorizationProvider();
options.TokenEndpointPath =新PathString(/标记);
options.UseCertificate(新X509Certificate2(env.ApplicationBasePath +\\\\ mycertificate.pfx,mycertificate)); });
我有一个AuthorizationProvider写的,但我不认为这是有关我的本期(但可能有用)。在其GrantResourceOwnerCredentials覆盖,我硬code索赔主体,使其验证每一个令牌请求:
公众覆盖任务GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsNotification上下文)
{
VAR身份=新ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme); identity.AddClaim(ClaimTypes.Name,我);
identity.AddClaim(ClaimTypes.Emailme@gmail.com);
VAR claimsPrincipal =新ClaimsPrincipal(身份); context.Validated(claimsPrincipal);
返回Task.FromResult<对象>(NULL);
}
在资源服务器,我在其Startup.config以下内容:
app.UseWhen(上下文=> context.Request.Path.StartsWithSegments(新PathString(/ API)),分支= GT;
{
branch.UseOAuthBearerAuthentication(选项=> {
options.Audience =HTTP://本地主机:54408; //这个资源服务器,我相信。
options.Authority =HTTP://本地主机:61854; //该认证服务器
options.AutomaticAuthentication = TRUE;
});
});
在提琴手,我问了一个道理,我得到一个:
POST /令牌HTTP / 1.1
主机:本地主机:61854
内容类型:应用程序/ x-WWW的形式urlen codeD用户名=管理员和放大器;密码= aaa000&安培; grant_type =密码
所以,现在我使用的访问令牌从资源服务器访问受保护资源:
GET / API /值HTTP / 1.1
主机:本地主机:54408
内容类型:应用程序/ JSON的;字符集= UTF-8
授权:承载eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI .....
我现在得到这个错误 - 观众验证失败。听众:'空'。没有匹配validationParameters.ValidAudience:或validationParameters.ValidAudiences:'空'
我想原因是因为我从来没有设定在auth服务器的观众(在app.UseOpenIdConnectServer(...)),所以我不认为它写了观众的信息令牌。所以,我需要设置在auth服务器的观众(如什么是IdentityServer3完成),但在选择对象,将让我做,我找不到一个属性。
是否AspNet.Security.OpenIdConnect.Server需要权威性和资源是在同一台服务器?
时设置ClaimsPrincipal放在一起时所做的观众,如果是这样,怎么样?
请问我需要写一个自定义的验证对象,并把它挂到系统? (我当然希望这个问题的答案是否定的。)
No, you can of course separate the two roles.
As you've already figured out, if you don't explicitly specify it, the authorization server has no way to determine the destination/audience of an access token, which is issued without the aud claim required by default by the OAuth2 bearer middleware.
Solving this issue is easy: just call ticket.SetResources(resources) when creating the authentication ticket and the authorization server will know exactly which value(s) (i.e resource servers/API) it should add in the aud claim(s).
app.UseOpenIdConnectServer(options => {
// Force the OpenID Connect server middleware to use JWT tokens
// instead of the default opaque/encrypted token format used by default.
options.UseJwtTokens();
});
public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) {
var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier, "unique identifier");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
// Call SetResources with the list of resource servers
// the access token should be issued for.
ticket.SetResources("resource_server_1");
// Call SetScopes with the list of scopes you want to grant.
ticket.SetScopes("profile", "offline_access");
context.Validate(ticket);
return Task.FromResult(0);
}
app.UseJwtBearerAuthentication(new JwtBearerOptions {
AutomaticAuthenticate = true,
AutomaticChallenge = true,
Audience = "resource_server_1",
Authority = "http://localhost:61854"
});
这篇关于分离验证和资源服务器与AspNet.Security.OpenIdConnect - 观众?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!