我正在尝试使用IdentityServer4来保护我的nodeAPI。
export const jwtauth = jwt({
secret: jwksClient.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 2,
jwksUri: `${identity_authority}/.well-known/openid-configuration/jwks`
}),
// validate the audience & issuer from received token vs JWKS endpoint
audience:'projectapi',
issuer: `${identity_authority}`,
algorithms: ['RS256']
})
我认为我做得很好,但当我从Web应用程序调用API时,我会得到以下错误:
UnauthorizedError: jwt audience invalid. expected: projectapi
从我所做的所有研究来看,有人建议观众应该改为aud: 'projectapi',我试着认为这不起作用。
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientId = "portal",
ClientName = "portal",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = new List<string> {
"https://url/oidc-callback",
"https://url/oidc-silent-renew.html"
},
PostLogoutRedirectUris = { "https://url/logout" },
AllowedCorsOrigins = new List<string> { "https://url" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"authenticationapi",
"projectapi",
"workflowapi"
}
}
};
}
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("authenticationapi", "Authentication API"),
new ApiScope("projectapi", "Project API"),
new ApiScope("workflowapi", "Project Workflow API")
};
access_token:
{
"nbf": 1597959828,
"exp": 1597960728,
"iss": "https://url",
"aud": "https://url/resources",
"client_id": "portal",
"sub": "183d2e05-3c19-44c0-a8c5-bfa29320b10b",
"auth_time": 1597959828,
"idp": "local",
"email": "text@email.com",
"name": "text@email.com",
"family_name": "test",
"given_name": "test",
"role": "User",
"jti": "5CD7A8058DAE31615529A0EBCC7334E2",
"sid": "BA53399482221C789A1BB07F393C2806",
"iat": 1597959828,
"scope": [
"openid",
"profile",
"email",
"projectapi",
"workflowapi",
"authenticationapi"
],
"amr": [
"pwd"
]
}
您已经创建了API作用域,但我在代码中看不到任何API资源。
请添加一个名为projectapi的API资源。
对于identityserver4的实现,您可以在这里参考
public static IEnumerable<APIResource> getApiResource(){
return new []{
new APIResource {
Name = "projectapi",
DisplayName = "Api",
Description = "your description",
Scopes = new List<string> {//add your scopes here},
ApiSecrets = new List<Secret> {new Secret("secretpassword".Sha256())},
UserClaims = new List<string> {//user claims}
}
}
}
同时在Startup.cs:中的内存中添加此资源
.AddInMemoryApiResources(//call the function created above);
在添加了所有内存中客户端和Api作用域的地方添加此行