response.Error "Forbidden" 在 IdentityServer3 Flows.ClientCredentials
response.Error "Forbidden" in IdentityServer3 Flows.ClientCredentials
我的 IdentityServer3 中有一个客户端
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
},
在客户端 Windows 表单应用程序中,我正在使用从 URL https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Clients/ClientCertificateConsoleClient/Client.pfx
下载的 "Client.pfx"
客户端证书有指纹
Thumbprint = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29"
客户代码是
var cert = new X509Certificate2("Client.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
我按照https://identityserver.github.io/Documentation/docsv2/advanced/clientCerts.html
中的说明进行了配置
<location path="core/connect/token">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
</security>
</system.webServer>
</location>
最初它给了我 Internal Server Error,后来我将以下模式更改为“Allow”
文件路径:C:\Windows\System32\inetsrv\config\applicationHost.config
<section name="access" overrideModeDefault="Deny" />
至
<section name="access" overrideModeDefault="Allow" />
稍后它的响应带有错误状态代码:response.Error ="Forbidden"
这里附上响应对象的快照
请帮助我如何解决此问题并使用 ClientCertificate 获取 AccessToken。
您正在客户端使用“Client.pfx”证书,并且您正在通过 HTTP Request.[=23 将其传递给 IdentityServer =]
上述证书有一个根证书,即“DevRoot”,它应该在上述Trusted Root Certification Authorities中,否则IIS 不应允许请求并 return 返回状态代码 403 Forbidden.
请看一下快照,它显示了“Client.pfx”的信息
因此,请确保“DevRoot”安装在“Trusted Root Certification Authorities”
如果没有,请下载“DevRoot.cer”并将其导入上述路径(即Trusted Root Certification Authorities)。
DevRoot.cer 下载 URL: https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Certificates/DevRoot.cer
我的 IdentityServer3 中有一个客户端
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
},
在客户端 Windows 表单应用程序中,我正在使用从 URL https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Clients/ClientCertificateConsoleClient/Client.pfx
下载的 "Client.pfx"客户端证书有指纹
Thumbprint = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29"
客户代码是
var cert = new X509Certificate2("Client.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
我按照https://identityserver.github.io/Documentation/docsv2/advanced/clientCerts.html
中的说明进行了配置<location path="core/connect/token">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
</security>
</system.webServer>
</location>
最初它给了我 Internal Server Error,后来我将以下模式更改为“Allow”
文件路径:C:\Windows\System32\inetsrv\config\applicationHost.config
<section name="access" overrideModeDefault="Deny" />
至
<section name="access" overrideModeDefault="Allow" />
稍后它的响应带有错误状态代码:response.Error ="Forbidden"
这里附上响应对象的快照
请帮助我如何解决此问题并使用 ClientCertificate 获取 AccessToken。
您正在客户端使用“Client.pfx”证书,并且您正在通过 HTTP Request.[=23 将其传递给 IdentityServer =]
上述证书有一个根证书,即“DevRoot”,它应该在上述Trusted Root Certification Authorities中,否则IIS 不应允许请求并 return 返回状态代码 403 Forbidden.
请看一下快照,它显示了“Client.pfx”的信息
因此,请确保“DevRoot”安装在“Trusted Root Certification Authorities”
如果没有,请下载“DevRoot.cer”并将其导入上述路径(即Trusted Root Certification Authorities)。
DevRoot.cer 下载 URL: https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Certificates/DevRoot.cer