无法读取请求正文(IdentityServer 4)
Unable to read request body ( IdentityServer 4 )
嗨,我正在尝试读取 React 应用程序使用 axios 发送到 Asp.net 核心应用程序 (IdentityServer 4) 的请求正文以获取令牌。以下代码来自react app.
const headers = {
'Content-Type': 'application/json',
}
const data = {
'grant_type': 'password',
'client_id': '*********-****-****-****-************',
'client_secret': 'ClientSecret',
'username': 'user',
'password': 'password',
'scope': 'email',
'response_type': 'id_token'
}
axios.post('http://localhost:5000/connect/token', data, {
headers: headers
})
.then((response) => {
console.log(response)
})
.catch((error) => {
console.log(error)
})
IdentityServer代码如下(我在startup.csclass中注册了IHttpContextAccessor)
namespace IdentityServer
{
public class CustomCorsPolicy : ICorsPolicyService
{
private readonly IHttpContextAccessor _httpContext;
public CustomCorsPolicy(IHttpContextAccessor httpContext)
{
_httpContext = httpContext; ----------> Trying to access request body here I want to get the clientId sent by react app in request body.
}
public Task<bool> IsOriginAllowedAsync(string origin)
{
return Task.FromResult(true);
}
}
}
当我尝试调试以查看请求正文时,我得到了以下数据
我是不是做错了什么?如果可以,谁能帮我知道如何获取请求正文。
您的自定义 CustomCorsPolicy 只会在 CORS-related 请求时被调用,这意味着只有当您从浏览器执行 AJAX-requests 时,例如当您调用 UserInfo 端点时。
因此,这意味着您的 CustomCorsPolicy 永远不会作为正常身份验证请求过程的一部分被调用,仅在 AJAX-requests 期间被调用。在对 /connect/userinfo 端点的第一个 CORS 预检请求期间(使用 OPTIONS http 请求 method/verb),根本没有提供令牌或 clientID。
在第二次请求期间,您从授权 header 中获取访问令牌。您可以通过一些努力从访问令牌中获取 clientID。令牌在请求 header 中,而不是请求 body(在两个请求期间都是空的)。
第一个请求如下所示:
OPTIONS https://localhost:6001/connect/userinfo HTTP/1.1
Host: localhost:6001
Connection: keep-alive
Accept: */*
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: https://localhost:5001
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: https://localhost:5001/ImplicitFlow/LoggedInUsingFragment
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
对 the-user 信息端点的第二个请求如下所示:
GET https://localhost:6001/connect/userinfo HTTP/1.1
Host: localhost:6001
Connection: keep-alive
Accept: */*
DNT: 1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjY1NzVBNTk1MkYwQUI3MTA3NzM2RDQ4RTY4REQwOTI2IiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE1OTUzNTUxNDYsImV4cCI6MTU5NTM1ODc0NiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NjAwMSIsImF1ZCI6WyJwYXltZW50IiwiaW52b2ljZSIsIm9yZGVyIiwiaHR0cHM6Ly9sb2NhbGhvc3Q6NjAwMS9yZXNvdXJjZXMiXSwiY2xpZW50X2lkIjoiaW1wbGljaXRmbG93Y2xpZW50Iiwic3ViIjoiVXNlcklEMTIzNDU2IiwiYXV0aF90aW1lIjoxNTk1MzU0ODk0LCJpZHAiOiJsb2NhbCIsInNlbmlvcml0eSI6IlNlbmlvciIsImNvbnRyYWN0b3IiOiJubyIsImVtcGxveWVlIjoieWVzIiwianRpIjoiMUY4NkE1NERBNzBBN0E1M0Q0RTRFOURCMUZFNTg5RDciLCJzaWQiOiIxRUMxNzAwREUxODZGOEFGRTc0MEQ3QTBGMjM1MDI1RCIsImlhdCI6MTU5NTM1NTE0Niwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwic2hvcC5hZG1pbiJdLCJhbXIiOlsicHdkIl19.Ey9e1OyVgm8ctrUmv9BlKsZburIHmKwEZc53EWu7H0dXg_DbgzPyIttq35wkGGrL6mbL9k4v9MPtwgvXP2iStR-9IMSEjXml9Wb0oFcAmlhWYSMW3bQ-64qUrgzwiDW6WFTcBAFR5q_cw-HEjYbLQzxhV5_6QuaJTfF15OpqxEk9074A-FaM7I-WvgTSMesqZCqupuYBmXPOxnTaII8ZMy1EnnOaDfT1dUUBIU1gB4H4waU_iUoX6u_nJrgXVlm9kYn0CkcV9qiVMlRCAg_t1q-nBjjRMZCrfa5hKgAdz2rzmjUpKGTCIU30RkryVDf845xMbcEiC6KZhPai_pPSmg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Origin: https://localhost:5001
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:5001/ImplicitFlow/LoggedInUsingFragment
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
但回到最初的问题,我认为你需要重新考虑你试图实现的目标,因为 CORS 服务仅在 CORS-requests 上调用,在客户端已经收到他们的 access-token .我认为您可以通过为不同的客户端和您想要控制的权限创建不同的客户端定义和 ApiScopes 来更容易地解决这个问题。
嗨,我正在尝试读取 React 应用程序使用 axios 发送到 Asp.net 核心应用程序 (IdentityServer 4) 的请求正文以获取令牌。以下代码来自react app.
const headers = {
'Content-Type': 'application/json',
}
const data = {
'grant_type': 'password',
'client_id': '*********-****-****-****-************',
'client_secret': 'ClientSecret',
'username': 'user',
'password': 'password',
'scope': 'email',
'response_type': 'id_token'
}
axios.post('http://localhost:5000/connect/token', data, {
headers: headers
})
.then((response) => {
console.log(response)
})
.catch((error) => {
console.log(error)
})
IdentityServer代码如下(我在startup.csclass中注册了IHttpContextAccessor)
namespace IdentityServer
{
public class CustomCorsPolicy : ICorsPolicyService
{
private readonly IHttpContextAccessor _httpContext;
public CustomCorsPolicy(IHttpContextAccessor httpContext)
{
_httpContext = httpContext; ----------> Trying to access request body here I want to get the clientId sent by react app in request body.
}
public Task<bool> IsOriginAllowedAsync(string origin)
{
return Task.FromResult(true);
}
}
}
当我尝试调试以查看请求正文时,我得到了以下数据
我是不是做错了什么?如果可以,谁能帮我知道如何获取请求正文。
您的自定义 CustomCorsPolicy 只会在 CORS-related 请求时被调用,这意味着只有当您从浏览器执行 AJAX-requests 时,例如当您调用 UserInfo 端点时。
因此,这意味着您的 CustomCorsPolicy 永远不会作为正常身份验证请求过程的一部分被调用,仅在 AJAX-requests 期间被调用。在对 /connect/userinfo 端点的第一个 CORS 预检请求期间(使用 OPTIONS http 请求 method/verb),根本没有提供令牌或 clientID。
在第二次请求期间,您从授权 header 中获取访问令牌。您可以通过一些努力从访问令牌中获取 clientID。令牌在请求 header 中,而不是请求 body(在两个请求期间都是空的)。
第一个请求如下所示:
OPTIONS https://localhost:6001/connect/userinfo HTTP/1.1
Host: localhost:6001
Connection: keep-alive
Accept: */*
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: https://localhost:5001
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: https://localhost:5001/ImplicitFlow/LoggedInUsingFragment
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
对 the-user 信息端点的第二个请求如下所示:
GET https://localhost:6001/connect/userinfo HTTP/1.1
Host: localhost:6001
Connection: keep-alive
Accept: */*
DNT: 1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjY1NzVBNTk1MkYwQUI3MTA3NzM2RDQ4RTY4REQwOTI2IiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE1OTUzNTUxNDYsImV4cCI6MTU5NTM1ODc0NiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NjAwMSIsImF1ZCI6WyJwYXltZW50IiwiaW52b2ljZSIsIm9yZGVyIiwiaHR0cHM6Ly9sb2NhbGhvc3Q6NjAwMS9yZXNvdXJjZXMiXSwiY2xpZW50X2lkIjoiaW1wbGljaXRmbG93Y2xpZW50Iiwic3ViIjoiVXNlcklEMTIzNDU2IiwiYXV0aF90aW1lIjoxNTk1MzU0ODk0LCJpZHAiOiJsb2NhbCIsInNlbmlvcml0eSI6IlNlbmlvciIsImNvbnRyYWN0b3IiOiJubyIsImVtcGxveWVlIjoieWVzIiwianRpIjoiMUY4NkE1NERBNzBBN0E1M0Q0RTRFOURCMUZFNTg5RDciLCJzaWQiOiIxRUMxNzAwREUxODZGOEFGRTc0MEQ3QTBGMjM1MDI1RCIsImlhdCI6MTU5NTM1NTE0Niwic2NvcGUiOlsib3BlbmlkIiwiZW1haWwiLCJwcm9maWxlIiwic2hvcC5hZG1pbiJdLCJhbXIiOlsicHdkIl19.Ey9e1OyVgm8ctrUmv9BlKsZburIHmKwEZc53EWu7H0dXg_DbgzPyIttq35wkGGrL6mbL9k4v9MPtwgvXP2iStR-9IMSEjXml9Wb0oFcAmlhWYSMW3bQ-64qUrgzwiDW6WFTcBAFR5q_cw-HEjYbLQzxhV5_6QuaJTfF15OpqxEk9074A-FaM7I-WvgTSMesqZCqupuYBmXPOxnTaII8ZMy1EnnOaDfT1dUUBIU1gB4H4waU_iUoX6u_nJrgXVlm9kYn0CkcV9qiVMlRCAg_t1q-nBjjRMZCrfa5hKgAdz2rzmjUpKGTCIU30RkryVDf845xMbcEiC6KZhPai_pPSmg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Origin: https://localhost:5001
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:5001/ImplicitFlow/LoggedInUsingFragment
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
但回到最初的问题,我认为你需要重新考虑你试图实现的目标,因为 CORS 服务仅在 CORS-requests 上调用,在客户端已经收到他们的 access-token .我认为您可以通过为不同的客户端和您想要控制的权限创建不同的客户端定义和 ApiScopes 来更容易地解决这个问题。