身份服务器-承载令牌认证-如何跟踪失败的授权?

我已经在开发环境中设置了一个简单的身份服务器，其配置如下:

I have set up a simple identity server on my development environment, configured as so:

    public void Configuration(IAppBuilder app)
    {
        Log.Logger = new LoggerConfiguration()
            .MinimumLevel.Verbose()
            .WriteTo.Trace()
            .CreateLogger();

        app.Map("/identity", id =>
        {     
            id.UseIdentityServer(new IdentityServerOptions()
            {
                SiteName = "Tomas Services Identity Provider",
                SigningCertificate = CertificateService.Load(),
                Factory = IdentityFactory.Configure("IdServerConn"),
                RequireSsl = false
            });
        });
    }

工厂根据编写服务器代码的好人提供的实体框架示例进行设置.

The factory sets up as per the entity framework sample provided by the nice people that wrote the server code.

然后，我将客户端Web api网站设置为使用承载身份验证，如下所示:

I then have a client web api site set up to use bearer authentication like so:

    private const string IdentityServerUrl = "http://localhost/mysite/identity";

    public void Configuration(IAppBuilder app)
    {
        Log.Logger = new LoggerConfiguration()
           .MinimumLevel.Debug()
           .WriteTo.Trace()
           .CreateLogger();

        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions()
        {
            Authority = IdentityServerUrl,
            RequiredScopes = new[] { "my_scope" }
        });

        var config = new HttpConfiguration();

        WebApiConfig.Register(config);

        app.UseNinjectMiddleware(NinjectWebCommon.CreateKernel).UseNinjectWebApi(config);
    }

然后我要使用提琴手进行测试，获取访问令牌，然后将其添加到我的Web api POST中的相应标头中.

I am then testing this using fiddler, retrieving an access token and then adding that to the appropriate header in my web api POST.

现在，这正在使用IIS Express并在https下运行.我想将此(用于开发)更改为在不使用SSL的情况下运行.所做的唯一更改是在IDP配置中将RequiresSSL设置为false，并更改客户端中授权的URL.客户端现在也可以在http而不是SSL下运行.

Now, this was working using IIS express and running under https. I want to change this (for development) to run without SSL. The only changes that have been made were to set RequiresSSL to false in the IDP config and change the URL of the authority in the client. The client is now also running under http rather than under SSL.

我现在不断得到401-发布到Web API时的未经授权的响应.我可以毫无问题地检索访问令牌，但是我看不到为什么我的Web API网站没有对我进行身份验证.

I am now consistently getting 401 - unauthorised responses when posting to the web API. I can retrieve an access token without issue, but I am unable to see why my web API site is not authenticating me.

我已经在身份服务器站点上设置了日志记录，并且可以看到通过调用获得访问令牌没有问题，但是通过Web API调用时，我看到的唯一进一步记录是:

I have logging set up on the identity server site, and I can see calls through to get my access token no problem, but the only further logging I see when I call through the web API is a one off:

w3wp.exe信息:0:20​​16-10-17 15:09:58.459 +01:00 [信息] 开始发现请求2016-10-17 15:09:58.460 +01:00 [Debug]缓存 错过:CachingScopeStore.allscopes.public w3wp.exe信息:0: 2016-10-17 15:09:58.549 +01:00 [信息]开始发现密钥 请求

w3wp.exe Information: 0 : 2016-10-17 15:09:58.459 +01:00 [Information] Start discovery request 2016-10-17 15:09:58.460 +01:00 [Debug] Cache miss: CachingScopeStore.allscopes.public w3wp.exe Information: 0 : 2016-10-17 15:09:58.549 +01:00 [Information] Start key discovery request

是否有任何方法可以从UseIdentityServerBearerTokenAuthentication OWIN中间件获取进一步的日志记录(出于调试目的)?我对为什么我无法连接感到困惑，尤其是因为它在IIS Express(在SSL下可以运行)下工作.

Is there any way of getting further logging (for debug purposes) from the UseIdentityServerBearerTokenAuthentication OWIN middleware? I am at loss here as to why I am not able to connect, particularly as this was working under IIS express (albiet under SSL).

对于后代，我按照下面的@leastprivilege启用日志记录时遇到的错误是:

For posterity, the error I was getting on enabling logging as per @leastprivilege below was:

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware 错误:0:身份验证失败System.TypeLoadException:无法 从中加载类型'IdentityModel.Extensions.HashStringExtensions' 程序集'IdentityModel，版本= 2.0.0.0，文化=中性， PublicKeyToken = null".在 IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.d__1.MoveNext() 在 System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start [TStateMachine](TStateMachine& stateMachine) IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext 上下文) Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.d__0.MoveNext()

Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed System.TypeLoadException: Could not load type 'IdentityModel.Extensions.HashStringExtensions' from assembly 'IdentityModel, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null'. at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.d__1.MoveNext() at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine) at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext context) at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.d__0.MoveNext()

有关详细信息，请参见下面的答案.

Please see answer below for details.