IdentityServer OpenIdConnect 添加一个 API 作为范围。

huangapple go评论81阅读模式
英文:

IdentityServer OpenIdConnect adding an api as a scope

问题

以下是要翻译的内容:

  • I have a project running on localhost:44387 which is the IdentityServer configuration.
  • I have an ASP.NET Core application running on localhost:44373 which acts as a front end application for the user to engage with and another ASP.NET Core application running on localhost:44353 which acts as an API.
  • When the user tries to access an authorized controller in the front end application, they are redirected to the login page on the IdentityServer.
  • Once the user has logged in, they are redirected back.
  • They are then authorized on the front end application, but when calls are being made to the API on localhost:44353, it returns unauthorized.
  • I have tried to add a scope to the .OpenIdConnect method to add the API as a scope but it crashes the application when redirecting to the login page.
  • How can I add the API as a permission to request, so once the front end application is authorized it can call the API?

This is in the Config.cs file for the IdentityServer

new Client
{
    ClientId = "mvc",
    ClientName = "MVC Client",
    AllowedGrantTypes = GrantTypes.Implicit,

    // where to redirect to after login
    RedirectUris = { "https://localhost:44373/signin-oidc" },

    // where to redirect to after logout
    PostLogoutRedirectUris = { "https://localhost:44373/signout-callback-oidc" },
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "roles",
        "staff_api" // <---- Add staff api as scope
    },
    RequireConsent = false,
}

Inside the Startup of the front end app

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = "oidc";
})
    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = baseAuthAddress;
        options.RequireHttpsMetadata = false;

        options.ClientId = "mvc";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;

        //options.Scope.Add("staff_api"); //<--- THIS MAKES IT CRASH?
        options.Scope.Add("roles");

        // Fix for getting roles claims correctly:
        options.ClaimActions.MapJsonKey("role", "role", "role");

        options.TokenValidationParameters.NameClaimType = "name";
        options.TokenValidationParameters.RoleClaimType = "roles";
    });

Inside Startup.cs of API

services.AddAuthentication("Bearer")
    .AddJwtBearer("Bearer", options =>
    {
        options.Audience = "staff_api";
        options.Authority = Configuration["AuthURL"];
    });
英文:

I have a project running on localhost:44387 which is the IdentityServer configuration.
I have an ASP.NET Core application running on localhost:44373 which acts as a front end application for the user to engage with and another ASP.NET Core application running on localhost:44353 which acts as an API.

When the user tries to access an authorized controller in the front end application, they are redirected to the login page on the IdentityServer.
Once the user has logged in, they are redirected back.

They are then authorized on the front end application, but when calls are being made to the API on localhost:44353, it returns unauthorized.

I have tried to add a scope to the .OpenIdConnect method to add the API as a scope but it crashes the application when redirecting to the login page.

How can I add the API as a permission to request, so once the front end application is authorized it can call the API?

This is in the Config.cs file for the IdentityServer

                new Client
                {
                    ClientId = &quot;mvc&quot;,
                    ClientName = &quot;MVC Client&quot;,
                    AllowedGrantTypes = GrantTypes.Implicit,

                    // where to redirect to after login
                    RedirectUris = { &quot;https://localhost:44373/signin-oidc&quot; },

                    // where to redirect to after logout
                    PostLogoutRedirectUris = { &quot;https://localhost:44373/signout-callback-oidc&quot; },
                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        &quot;roles&quot;,
                        &quot;staff_api&quot; // &lt;---- Add staff api as scope
                    },
                    RequireConsent = false,
                }

Inside the Startup of the front end app

services.AddAuthentication(options =&gt;
            {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = &quot;oidc&quot;;
            })
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
                 .AddOpenIdConnect(&quot;oidc&quot;, options =&gt;
                 {
                     options.Authority = baseAuthAddress;
                     options.RequireHttpsMetadata = false;

                     options.ClientId = &quot;mvc&quot;;
                     options.SaveTokens = true;
                     options.GetClaimsFromUserInfoEndpoint = true;

                     //options.Scope.Add(&quot;staff_api&quot;); &lt;--- THIS MAKES IT CRASH?
                     options.Scope.Add(&quot;roles&quot;);

                     // Fix for getting roles claims correctly :
                     options.ClaimActions.MapJsonKey(&quot;role&quot;, &quot;role&quot;, &quot;role&quot;);

                     options.TokenValidationParameters.NameClaimType = &quot;name&quot;;
                     options.TokenValidationParameters.RoleClaimType = &quot;roles&quot;;
                 });

Inside Startup.cs of API

services.AddAuthentication(&quot;Bearer&quot;)
                .AddJwtBearer(&quot;Bearer&quot;, options =&gt;
                 {
                     options.Audience = &quot;staff_api&quot;; ;
                     options.Authority = Configuration[&quot;AuthURL&quot;];

                 });

答案1

得分: 1

你是否在IdentityServer端添加并初始化了ApiResourceApiScope?(使用较新版本的IdentityServer)

就像在快速入门文档中所示的那样?由于我们看不到完整的Config.cs文件,这将是首要检查的事项。您还应该查看您的IS4的.well-known/openid-configuration,以查看API范围是否在scopes_supported部分注册(也请参阅快速入门文档中的链接)。

IdentityServer的调试输出、API端的TokenValidationMiddleware以及客户端端的AuthenticationMiddleware都非常详细,您应该检查调试输出以查找告诉您哪里出了问题的条目。

另外,如果不是单页应用程序(SPA),则不应在Asp.Net Core应用程序中使用GrantTypes.Implicit,此类型适用于基于JS的前端。

英文:

Have you added and seeded an ApiResource and ApiScope on the IdentityServer side? (With the newer versions of IdentityServer)

Like shown in the quickstarts? Since we don't see the full Config.cs file, that would be the first thing to check.
You should also have a look at the .well-known/openid-configuration of your IS4, to see if the scope for the api is registered in the section scopes_supported (see link to quickstart as well).

The Debug output of IdentityServer, TokenValidationMiddleware on the API side and the AuthenticationMiddleware on the client side are very verbose, you should check the debug output for entries that inform you what is not working.

Also you should not use GrantTypes.Implicitfor Asp.Net Core applications if it is not
a SPA, this type is intended for JS-based front-ends.

huangapple
  • 本文由 发表于 2020年1月3日 22:24:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/59580225.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定