我正试图在Blazor WASM(一个Asp.Net托管的解决方案(中获取IdentityServer 6以使用Microsoft id,但遇到了错误消息";AADSTS90023:公共客户端不能发送客户端机密";。我觉得我已经尝试了我能想到的每一种配置,但希望我还是错过了一些。
IdentityServer配置使用"SPA"配置文件,我认为这对于我的场景是正确的:
"IdentityServer": {
"Clients": {
"Blazor.Client": {
"ClientId": "Blazor.Client",
"ClientName": "Blazor.Client",
"Profile": "SPA",
"RedirectUri": "https://localhost:15601",
"LogoutUri": "https://localhost:15601"
}
}
}
配置代码遵循最简单的示例:
.AddMicrosoftAccount(options =>
{
options.ClientId = <clientId>;
options.ClientSecret = <secret>
})
因为这些代码片段基本上是最简单的方法,所以我假设我的AzureAD应用程序注册有问题,但我不知道是什么。我已经包括清单:
{
"id": "<id>",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": false,
"appId": "<apiId>",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-12-10T09:21:08Z",
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [
"api://<apiId>"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "<name>",
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2023-12-10T09:21:45.315Z",
"keyId": "<keyId>",
"startDate": "2021-12-10T09:21:45.315Z",
"value": null,
"createdOn": "2021-12-10T09:21:57.2927675Z",
"hint": "H1f",
"displayName": "<displayName>"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "<publisherDomain>.onmicrosoft.com",
"replyUrlsWithType": [
{
"url": "https://localhost:15602/signin-microsoft",
"type": "Spa"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "<someId>",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [],
"tokenEncryptionKeyId": null
}
是不支持这种情况,还是我做错了什么?
EDIT:最终问题出在重定向uri平台上,该平台不应设置为"SPA",而应设置为"Web",因为进行身份验证的不是客户端,而是IdentityServer Web服务。相关部分是:
"replyUrlsWithType": [
{
"url": "https://localhost:15602/signin-microsoft",
"type": "Web"
}
- 客户的秘密实际上必须保密,即;你不能把它放在网站上并从公共前端使用它。客户端凭据流设计也这么说
- Blazor webassembly应用程序被称为"公共"oAuth/openid术语中的"application">
注意:根据微软文档:
公共客户端(本机应用程序和单页应用程序(不得使用兑换授权码时的机密或证书-始终确保重定向URI正确指示应用
-
因此,请尝试禁用对IdP和刷新令牌的客户端机密的要求,因为它们也不能以安全/安全的方式处理。
-
建议您对公共客户端使用代码+PKCE,当您将response_type设置为code时,会自动发生这种情况。
参考:Microsoft身份平台和OAuth 2.0授权代码流-Microsoft身份平台|Microsoft Docs