观众对 identityserver4 代码流访问令牌的声明是错误的
Audience claim on identityserver4 code flow access token is wrong
我正在为带有 Identityserver4 的 vuejs 客户端使用代码流。
我添加了 RequirePkce 并且我可以从 oidc-client 获取访问令牌和 ID 令牌。
但是访问令牌 aud 声明指向的是 Identityserver4 基地址,而不是我的 api 资源。
会不会有什么问题?
客户:
new Client
{
ClientId = "js.admin",
ClientName = "admin dashboard vuejs client.",
RequirePkce = true,
RequireClientSecret = false,
RequireConsent = false,
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:8080",
"http://localhost:8080/logincb.html",
"http://localhost:8080/silent-renew.html"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/",
"http://localhost:8080"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:8080"
},
AllowedScopes = new List<string>
{
"openid",
"role",
"profile",
"api1.rw",
"email",
"phone"
}
}
oidc 客户端设置:
const clientSettings = {
userStore: new WebStorageStateStore({ store: window.localStorage }),
authority: STS_DOMAIN,
client_id: "js.admin",
redirect_uri: "http://localhost:8080/logincb.html",
automaticSilentRenew: true,
silent_redirect_uri: "http://localhost:8080/silent-renew.html",
response_type: "code",
scope: "openid profile api1.rw role email phone",
post_logout_redirect_uri: "http://localhost:8080/",
filterProtocolClaims: true
};
已解码访问令牌:
"iss": "http://localhost:5001",
"aud": "http://localhost:5001/resources",
如您所见,发行人和观众的说法相同,但都是错误的。
但即使范围也是正确的。
非常感谢任何帮助。
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'http://localhost:5001/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
这是我遇到的最后一个错误。
http://localhost:5001/resources 是一个通用资源,当您没有定义任何 ApiResources 或将其与请求的 ApiScope 关联时添加。
根据文档 here,它说:
When using the scope-only model, no aud (audience) claim will be added
to the token since this concept does not apply. If you need an aud
claim, you can enable the EmitStaticAudienceClaim setting on the
options. This will emit an aud claim in the issuer_name/resources
format. If you need more control of the aud claim, use API resources.
要让 api1.rw 成为您的受众,您需要将 ApiResource 添加到您的 IdentityServer 配置中。您可以命名 ApiResource 和 ApiScope api1.rw
我正在为带有 Identityserver4 的 vuejs 客户端使用代码流。
我添加了 RequirePkce 并且我可以从 oidc-client 获取访问令牌和 ID 令牌。
但是访问令牌 aud 声明指向的是 Identityserver4 基地址,而不是我的 api 资源。
会不会有什么问题?
客户:
new Client
{
ClientId = "js.admin",
ClientName = "admin dashboard vuejs client.",
RequirePkce = true,
RequireClientSecret = false,
RequireConsent = false,
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:8080",
"http://localhost:8080/logincb.html",
"http://localhost:8080/silent-renew.html"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/",
"http://localhost:8080"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:8080"
},
AllowedScopes = new List<string>
{
"openid",
"role",
"profile",
"api1.rw",
"email",
"phone"
}
}
oidc 客户端设置:
const clientSettings = {
userStore: new WebStorageStateStore({ store: window.localStorage }),
authority: STS_DOMAIN,
client_id: "js.admin",
redirect_uri: "http://localhost:8080/logincb.html",
automaticSilentRenew: true,
silent_redirect_uri: "http://localhost:8080/silent-renew.html",
response_type: "code",
scope: "openid profile api1.rw role email phone",
post_logout_redirect_uri: "http://localhost:8080/",
filterProtocolClaims: true
};
已解码访问令牌:
"iss": "http://localhost:5001",
"aud": "http://localhost:5001/resources",
如您所见,发行人和观众的说法相同,但都是错误的。
但即使范围也是正确的。 非常感谢任何帮助。
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'http://localhost:5001/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
这是我遇到的最后一个错误。
http://localhost:5001/resources 是一个通用资源,当您没有定义任何 ApiResources 或将其与请求的 ApiScope 关联时添加。
根据文档 here,它说:
When using the scope-only model, no aud (audience) claim will be added to the token since this concept does not apply. If you need an aud claim, you can enable the EmitStaticAudienceClaim setting on the options. This will emit an aud claim in the issuer_name/resources format. If you need more control of the aud claim, use API resources.
要让 api1.rw 成为您的受众,您需要将 ApiResource 添加到您的 IdentityServer 配置中。您可以命名 ApiResource 和 ApiScope api1.rw