我有两个服务,API和IdentityService4,托管在Azure上的Kubernetes(Azure KubernetesService(。
当我通过Visual Studio运行服务时,一切都正常,并且IS4正确地验证了令牌。然而,当我试图调用"上的任何请求时;生产";这需要授权,我得到以下例外:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.ArgumentException: IDX20108: The address specified 'System.String' is not valid as per HTTPS scheme. Please specify an https address for security reasons. If you want to test with http address, set the RequireHttps property on IDocumentRetriever to false. (Parameter 'address')
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager'1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager'1.GetConfigurationAsync(CancellationToken cancel)
我发现了这个问题:https://github.com/IdentityServer/IdentityServer4/issues/4645并使用了这个解决方案:
app.Use((context, next) => { context.Request.Scheme = "https"; return next(); });
但我不确定这是否是一个";"安全";解决方案,因为它看起来有点粗鲁。
API配置
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://mylinkttoIS4.com";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
services.AddAuthorization();
services.AddHttpContextAccessor();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.Use((context, next) => { context.Request.Scheme = "https"; return next(); });
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers().RequireAuthorization();
});
}
IdentityServer4配置
public void ConfigureServices(IServiceCollection services)
{
var databaseConnectionString = Configuration.GetConnectionString("DefaultConnection");
services.AddDbContext<DatabaseContext>(options => options.UseSqlServer(databaseConnectionString));
services.AddIdentity<User, IdentityRole<Guid>>().AddEntityFrameworkStores<DatabaseContext>()
.AddDefaultTokenProviders();
services.AddIdentityServer()
.AddSigningCredentialBasedOnEnvironment(Configuration, Environment)
.AddInMemoryApiScopes(IdentityServerConfig.ApiScopes)
.AddInMemoryClients(IdentityServerConfig.Clients)
.AddAspNetIdentity<User>()
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(databaseConnectionString, sql => sql.MigrationsAssembly(typeof(Startup).GetTypeInfo().Assembly.GetName().Name));
options.DefaultSchema = "identity";
})
.AddResourceOwnerValidator<CustomResourceOwnerPasswordValidator>();
services.AddTransient<ISmsSender, SmsSender>();
}
public void Configure(IApplicationBuilder app)
{
app.UseHttpsRedirection();
app.UseIdentityServer();
}
你知道这条线在干什么吗?在生产环境中使用安全吗?也许是Azure配置的问题?
这取决于您在Kestrel或Azure中终止HTTPS的位置。。。Azure中的许多服务将在您的应用程序外部终止HTTPS,然后将流量作为HTTP发送到您的服务。
{internet}->HTTPS->{Azure负载平衡器/网关…}->HTTP->{您的应用程序}
也可能是由于网络配置,客户端无法访问IdentityServer。