您的位置: 首页  >  技术问答  >  .net核心客户端未通过IdentityServer v3进行身份验证-Audience中的偏移

.net核心客户端未通过IdentityServer v3进行身份验证-Audience中的偏移

分类: 技术问答 2022-07-22 10:57:13
问题描述:

给出:

IdentityServer v3 JavaSCript客户端 Asp Core Api客户端

IdentityServer v3 JavaSCript Client Asp Core Api Client

JavaScript客户端通过身份服务器进行身份验证,并向api发送带有承载令牌的请求

The JavaScript client authenticates with the identityserver and makes a request with a bearer token to the api

该api配置为使用资源所有者的工作流程

the api is configured to use ressource owner workflow

问题: 现在我得到了:

受众群体:" http://localhost/identity/resources ".不匹配: validationParameters.ValidAudience:'MyApi'或 validationParameters.ValidAudiences:空"

Audiences: 'http://localhost/identity/resources'. Did not match: validationParameters.ValidAudience: 'MyApi' or validationParameters.ValidAudiences: 'null'

显然受众群体不匹配. 我想念什么?

Obiviously Audiance doesn't match. what am I missing?

配置

身份服务器中的ApiClient:

ApiClient in Identity server:

 return new Client
            {
                Enabled = true,
                ClientId = "MyApi",
                ClientName = "The client for the Groupl Api",
                ClientSecrets = new List<Secret>
                {
                    new Secret("foo".Sha256())
                },
                Flow = Flows.ResourceOwner,
                AllowedScopes = ClientConstants.AllowedGrouplScopes()
            };

在api中连接到身份服务器:

In the api to connect to identity server:

 JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();


        var authority = config["identity:authority:url"];
        app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = authority,
            RequireHttpsMetadata = false,
            EnableCaching = false,

            ApiName = "myApi", //Correct that this is the client id?
            ApiSecret = "foo"
        });

此处是请求(省略了Access_token)

Here the request (Access_token omitted)

GET /api/values HTTP/1.1
Host: localhost:59364
Content-Type: application/json
Authorization: Bearer {access_token}

更新

Update

当我设置LegacyAudienceValidation = true时,一切正常,但是我不确定如何正确处理此问题?

when I set LegacyAudienceValidation = true, everything works fine, but i'm not sure how to handle this correctly?

原因是身份验证行为已更改. IdentityServer 3不支持多个受众. Identityserver 4可以.因此,对于旧的处理方式,必须将LegacyAudienceValidation设置为true

Reason is that authentication behavior changed. IdentityServer 3 didn't support multiple audiences. Identityserver 4 does. So for the old handling LegacyAudienceValidation has to be set to true

相关推荐