OpenIdConnect 中间件不断向请求添加 "profile" 范围
OpenIdConnect middleware keeps adding "profile" scope to the request
我正在努力弄清楚 OAuth2.0、OIDC1.0 和 IdentityServer4。我设置了一个测试 MVC Core 客户端,只请求了“openid”范围。但不知何故,OpenIdConnnect 中间件不断向请求的范围添加“profile”范围。 “profile”是强制范围吗?我应该启用它吗?或者我在这里做错了什么?如果有任何意见,我将不胜感激。
IdSrv 资源:
_identityResources = new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResource
{
Name = "test_user",
UserClaims = new[] { "test_user.email" }
}
};
_apiResources = new List<ApiResource>
{
new ApiResource
{
Name = "test_api",
Scopes =
{
new Scope()
{
Name = "test_api.account.create",
UserClaims = new[] { "test_api.account.create" }
}
}
}
};
IdSrv 客户端配置:
new Client
{
ClientId = "client.mvcx",
ClientName = "MVC Core Client",
AllowedGrantTypes = GrantTypes.Hybrid,
AllowAccessTokensViaBrowser = false,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { Common.Addresses.Client + "/signin-oidc" },
PostLogoutRedirectUris = { Common.Addresses.Client },
LogoutUri = Common.Addresses.Client + "/signout-oidc",
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId
},
AllowOfflineAccess = false,
RequireConsent = false,
AlwaysIncludeUserClaimsInIdToken = true
},
MVC 客户端:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "cookies",
AutomaticAuthenticate = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookies",
Authority = Common.Addresses.IdSrv,
RequireHttpsMetadata = false,
ClientId = "client.mvcx",
ClientSecret = "secret",
ResponseType = "code id_token",
Scope = { "openid" },
SaveTokens = true,
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = IdentityModel.JwtClaimTypes.Name,
RoleClaimType = IdentityModel.JwtClaimTypes.Role,
},
IdSrv 错误:
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
fail: IdentityServer4.Validation.ScopeValidator[0]
Invalid scope: profile
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Request validation failed
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
{
"ClientId": "client.mvcx",
"ClientName": "MVC Core Client",
"RedirectUri": "http://localhost:32579/signin-oidc",
"AllowedRedirectUris": [
"http://localhost:32579/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile",
...
OpenIdConnectionOptions 自动请求 openid 和 profile 作用域(参见 source code),在 Scope 上有私有 setter 属性.
当您像现在这样设置范围时,您并不是在设置新列表,而是在现有列表中添加内容。
清除然后添加范围有效:
var options = new OpenIdConnectOptions();
options.Scope.Clear();
options.Scope.Add("openid");
app.UseOpenIdConnectAuthentication(options);
我正在努力弄清楚 OAuth2.0、OIDC1.0 和 IdentityServer4。我设置了一个测试 MVC Core 客户端,只请求了“openid”范围。但不知何故,OpenIdConnnect 中间件不断向请求的范围添加“profile”范围。 “profile”是强制范围吗?我应该启用它吗?或者我在这里做错了什么?如果有任何意见,我将不胜感激。
IdSrv 资源:
_identityResources = new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResource
{
Name = "test_user",
UserClaims = new[] { "test_user.email" }
}
};
_apiResources = new List<ApiResource>
{
new ApiResource
{
Name = "test_api",
Scopes =
{
new Scope()
{
Name = "test_api.account.create",
UserClaims = new[] { "test_api.account.create" }
}
}
}
};
IdSrv 客户端配置:
new Client
{
ClientId = "client.mvcx",
ClientName = "MVC Core Client",
AllowedGrantTypes = GrantTypes.Hybrid,
AllowAccessTokensViaBrowser = false,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { Common.Addresses.Client + "/signin-oidc" },
PostLogoutRedirectUris = { Common.Addresses.Client },
LogoutUri = Common.Addresses.Client + "/signout-oidc",
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId
},
AllowOfflineAccess = false,
RequireConsent = false,
AlwaysIncludeUserClaimsInIdToken = true
},
MVC 客户端:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "cookies",
AutomaticAuthenticate = true,
ExpireTimeSpan = TimeSpan.FromMinutes(60)
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookies",
Authority = Common.Addresses.IdSrv,
RequireHttpsMetadata = false,
ClientId = "client.mvcx",
ClientSecret = "secret",
ResponseType = "code id_token",
Scope = { "openid" },
SaveTokens = true,
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = IdentityModel.JwtClaimTypes.Name,
RoleClaimType = IdentityModel.JwtClaimTypes.Role,
},
IdSrv 错误:
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
fail: IdentityServer4.Validation.ScopeValidator[0]
Invalid scope: profile
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Request validation failed
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
{
"ClientId": "client.mvcx",
"ClientName": "MVC Core Client",
"RedirectUri": "http://localhost:32579/signin-oidc",
"AllowedRedirectUris": [
"http://localhost:32579/signin-oidc"
],
"SubjectId": "anonymous",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile",
...
OpenIdConnectionOptions 自动请求 openid 和 profile 作用域(参见 source code),在 Scope 上有私有 setter 属性.
当您像现在这样设置范围时,您并不是在设置新列表,而是在现有列表中添加内容。
清除然后添加范围有效:
var options = new OpenIdConnectOptions();
options.Scope.Clear();
options.Scope.Add("openid");
app.UseOpenIdConnectAuthentication(options);