我是身份服务器的新手,最近为一个项目设置了它,但我一直得到以下错误
对不起,有一个错误:invalid_scope无效范围
这些是组成应用程序的组件。
Web Client ->ASPNETCORE Razor Pages应用程序(端口:7091)
豹猫→API网关
身份服务器6(端口:5001)
StripeDotNet→API
篮子→API
我的配置/代码如下:
身份服务器
public static class Config
{
public static IEnumerable<IdentityResource> IdentityResources =>
new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
// new IdentityResources.Email(),
};
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("stripedotnetapi", "StripeDotNet API")
};
public static IEnumerable<Client> Clients =>
new List<Client>
{
// interactive ASP.NET Core MVC client
new Client
{
ClientId = "razorweb",
ClientName = "Razor Web",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
// where to redirect to after login
RedirectUris = { "https://localhost:7091/signin-oidc" },
//FrontChannelLogoutUri = "https://localhost:7091/signout-callback-oidc",
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:7091/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
// IdentityServerConstants.StandardScopes.Email,
"stripedotnetapi"
}
}
};
}
Identity Server: Hosting Extensions
builder.Services
.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
// see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/
options.EmitStaticAudienceClaim = true;
})
.AddInMemoryIdentityResources(Config.IdentityResources)
.AddInMemoryApiScopes(Config.ApiScopes)
.AddInMemoryClients(Config.Clients)
.AddAspNetIdentity<ApplicationUser>();
public static IServiceCollection AddSecurityServices(this IServiceCollection services)
{
services.AddAuthentication("Bearer")
.AddJwtBearer(options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters.ValidateAudience = false;
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiScope", policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireClaim("scope", "stripedotnetapi");
});
});
return services;
}
StripeDotNet API: Controller Code
[Route("api/[controller]")]
[Authorize("ApiScope")]
public class CheckoutController : BaseController
{
private readonly ICheckoutService _checkoutService;
public CheckoutController(ICheckoutService checkoutService)
{
_checkoutService = Guard.Against.Null(checkoutService, nameof(checkoutService));
}
[HttpGet]
public async Task<IActionResult> CreateCheckoutSession([FromBody] CreateCheckoutSessionRequest req)
{
var response = await _checkoutService.CreateCheckoutSessionAsync(req.TenantId, req.PriceId,
req.SuccessUrl, req.CancelUrl);
return Ok(response);
}
[HttpGet("{sessionId}")]
public async Task<IActionResult> GetCheckoutSession(string sessionId)
{
var response = await _checkoutService.GetCheckoutSessionAsync(sessionId);
return Ok(response);
}
}
Ocelot API Gateway
var authenticationProviderKey = "IdentityApiKey";
builder.Services.AddAuthentication()
.AddJwtBearer(authenticationProviderKey, x =>
{
x.Authority = "https://localhost:5001"; // IDENTITY SERVER URL
x.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
Ocelot API Gateway: Configuration file
{
"UpStreamPathTemplate": "/api/Checkout",
"UpstreamHttpMethod": [ "Get" ],
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 7056
}
],
"DownstreamPathTemplate": "/api/Checkout",
"AuthenticationOptions": {
"AuthenticationProviderKey": "IdentityApiKey",
"AllowedScopes": []
}
},
{
"UpStreamPathTemplate": "/api/Checkout/{sessionId}",
"UpstreamHttpMethod": [ "Get" ],
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 7056
}
],
"DownstreamPathTemplate": "/api/Checkout/{sessionId}",
"AuthenticationOptions": {
"AuthenticationProviderKey": "IdentityApiKey",
"AllowedScopes": []
}
},
Web客户机
public static IServiceCollection AddSecurityServices(this IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "razorweb";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
//options.Scope.Add("email");
options.Scope.Add("stripedotnetapi");
options.Scope.Add("offline_access");
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
return services;
}
我的发现端点将这些项显示为有效范围
"scopes_supported": [
"openid",
"profile",
"stripedotnetapi",
"offline_access"
],
支持的范围似乎是正确的设置为web客户端,但我一直得到一个无效的范围错误。如有任何指导,将不胜感激。
解决。我没有足够注意那些医生。未授予客户端离线访问权限。
AllowOfflineAccess = true,