我相信答案是显而易见的,但我现在想不起来。
我得到一个403当我的代码试图调用/connect/userinfo和消息是"insufficient_scope"。
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs L153
上面的代码行检查JWT中的范围声明,并希望找到值为"openid"以使/connect/userinfo端点工作。
在我的JWT中,如果有如下内容:
"scope": "openid"
…那么端点就没问题了。相反,如果我输入:
"scope": ["openid", "email", "profile"]
…然后它就失败了。
我应该永远没有范围声明的列表/数组吗?也许我遗漏了某个配置设置?
更新代码
抱歉。当然,代码会使问题更清楚。
客户端存储
public ClientStore()
{
_clients = new List<Client>
{
new Client
{
AlwaysSendClientClaims = true,
RequireConsent = false,
Enabled = true,
ClientName = @"MVC Client",
ClientId = @"mvc",
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/index.html"
},
RedirectUris = new List<string>
{
"http://localhost:8080/loginCallback.html"
}
}
};
}
存储范围
public ScopeStore()
{
var scopes = new List<Scope>
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.AllClaims,
StandardScopes.RolesAlwaysInclude
};
_scopes = scopes;
}
Startup.cs
var certFile = env.ApplicationBasePath + "/cert.pfx";
app.Map("/core", core =>
{
var factory = new IdentityServerServiceFactory();
var configuration = new Configuration();
configuration.AddJsonFile("config.json");
var userService = new EndUserService(configuration.Get("ConnectionString"));
factory.UserService = new Registration<IUserService>(resolver => userService);
var scopeStore = new ScopeStore();
factory.ScopeStore = new Registration<IScopeStore>(resolver => scopeStore);
var clientStore = new ClientStore();
factory.ClientStore = new Registration<IClientStore>(resolver => clientStore);
var cert = new X509Certificate2(certFile, "test");
var idsrvOptions = new IdentityServerOptions
{
CorsPolicy = CorsPolicy.AllowAll,
Factory = factory,
RequireSsl = false,
SigningCertificate = cert,
LoggingOptions = new LoggingOptions() {
EnableWebApiDiagnostics = true,
EnableHttpLogging = true
}
};
core.UseIdentityServer(idsrvOptions);
});
Login.html
var config = {
client_id: "mvc",
redirect_uri: "http://localhost:8080/loginCallback.html",
response_type: "id_token token",
scope: "openid email profile",
authority: "http://localhost:44319/core",
post_logout_redirect_uri: "http://localhost:8080/index.html"
};
var mgr = new OidcTokenManager(config);
更新# 2
拍,这是单声道对Windows的事情。在Windows中工作正常,在Mono中损坏。已知问题:https://github.com/IdentityServer/IdentityServer3/issues/1373#issuecomment-104756822
原来微软的JWT库在解释JWT声明时存在一个bug。如下所述:https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/153
等待拉取请求被接受或以其他方式解决问题。
看起来您请求的范围在您的身份服务器实现中的客户端配置中未启用。
你应该像这样给客户和他们的ScopeRestrictions上一堂课。您需要将电子邮件和配置文件范围添加到该范围列表中。