具有Google身份验证和邮递员的IdentityServer4
红翼飞机
我将IdentityServer4和IdentityServer4.UI与authorization_code和一起使用Google authentication。
这是我的Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
// ...
const string connectionString = @"Data Source=.\SQLEXPRESS;database=Is4.LearnIs4;trusted_connection=yes;";
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services
.AddIdentityServer()
.AddDeveloperSigningCredential()
//.AddProfileService<IdentityServerProfileService>()
//.AddResourceOwnerValidator<ResourceOwnerPasswordValidator>()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
{
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
};
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
});
// Add jwt validation.
services
.AddAuthentication()
.AddGoogle("Google", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.ClientId = "<my-client-id>";
options.ClientSecret = "<my-secret>";
options.AccessType = "offline";
})
.AddOpenIdConnect("demoidsrv", "IdentityServer", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "http://localhost:57547";
options.ClientId = "implicit";
options.ResponseType = "id_token";
options.SaveTokens = true;
options.CallbackPath = new PathString("/signin-idsrv");
options.SignedOutCallbackPath = new PathString("/signout-callback-idsrv");
options.RemoteSignOutPath = new PathString("/signout-idsrv");
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
// ...
}
这些是我的客户端配置:
/// <summary>
/// Seed database.
/// </summary>
/// <param name="app"></param>
public static void Seed(IApplicationBuilder app)
{
using (var serviceScope = app.ApplicationServices.GetService<IServiceScopeFactory>().CreateScope())
{
serviceScope.ServiceProvider.GetRequiredService<PersistedGrantDbContext>().Database.Migrate();
var context = serviceScope.ServiceProvider.GetRequiredService<ConfigurationDbContext>();
context.Database.Migrate();
if (!context.Clients.Any())
{
foreach (var client in LoadClients())
context.Clients.Add(client.ToEntity());
context.SaveChanges();
}
if (!context.IdentityResources.Any())
{
foreach (var resource in LoadIdentityResources())
context.IdentityResources.Add(resource.ToEntity());
context.SaveChanges();
}
if (!context.ApiResources.Any())
{
foreach (var resource in LoadApiResources())
context.ApiResources.Add(resource.ToEntity());
context.SaveChanges();
}
}
}
/// <summary>
/// Load pre-defined identity resource.
/// </summary>
/// <returns></returns>
private static IEnumerable<IdentityResource> LoadIdentityResources()
{
var identityResources = new List<IdentityResource>();
identityResources.Add(new IdentityResources.OpenId());
identityResources.Add(new IdentityResources.Profile());
return identityResources;
}
/// <summary>
/// Load pre-defined api resources.
/// </summary>
/// <returns></returns>
private static IEnumerable<ApiResource> LoadApiResources()
{
var apiResources = new List<ApiResource>();
var api1Resource = new ApiResource("api1", "My API");
api1Resource.ApiSecrets = new List<Secret>();
api1Resource.ApiSecrets.Add(new Secret("secret".Sha256()));
apiResources.Add(api1Resource);
return apiResources;
}
/// <summary>
/// Load pre-defined clients.
/// </summary>
/// <returns></returns>
private static IEnumerable<Client> LoadClients()
{
var clients = new List<Client>();
var clientCredentialClient = new Client();
clientCredentialClient.ClientId = "client";
clientCredentialClient.AllowedGrantTypes = GrantTypes.ClientCredentials;
clientCredentialClient.ClientSecrets = new List<Secret>();
clientCredentialClient.ClientSecrets.Add(new Secret("secret".Sha256()));
clientCredentialClient.AllowedScopes = new List<string>();
clientCredentialClient.AllowedScopes.Add("api1");
clients.Add(clientCredentialClient);
var resourceOwnerPasswordClient = new Client();
resourceOwnerPasswordClient.ClientId = "ro.client";
resourceOwnerPasswordClient.AllowedGrantTypes = new List<string>();
resourceOwnerPasswordClient.AllowedGrantTypes.Add(GrantType.ResourceOwnerPassword);
resourceOwnerPasswordClient.AllowedGrantTypes.Add("refresh_token");
resourceOwnerPasswordClient.ClientSecrets = new List<Secret>();
resourceOwnerPasswordClient.ClientSecrets.Add(new Secret("secret".Sha256()));
resourceOwnerPasswordClient.AllowedScopes = new List<string>();
resourceOwnerPasswordClient.AllowedScopes.Add("api1");
resourceOwnerPasswordClient.AllowOfflineAccess = true;
resourceOwnerPasswordClient.RefreshTokenExpiration = TokenExpiration.Sliding;
resourceOwnerPasswordClient.RefreshTokenUsage = TokenUsage.ReUse;
resourceOwnerPasswordClient.SlidingRefreshTokenLifetime = 3600;
clients.Add(resourceOwnerPasswordClient);
var authorizationCodeClient = new Client();
authorizationCodeClient.ClientId = "mvc";
authorizationCodeClient.ClientName = "MVC Client";
authorizationCodeClient.AllowedGrantTypes = new List<string>();
authorizationCodeClient.AllowedGrantTypes.Add(GrantType.AuthorizationCode);
authorizationCodeClient.ClientSecrets = new List<Secret>();
authorizationCodeClient.ClientSecrets.Add(new Secret("secret".Sha256()));
authorizationCodeClient.RedirectUris = new List<string>();
authorizationCodeClient.RedirectUris.Add("http://localhost:4300");
authorizationCodeClient.PostLogoutRedirectUris = new List<string>();
authorizationCodeClient.PostLogoutRedirectUris.Add("http://localhost:5002/signout-callback-oidc");
authorizationCodeClient.RequirePkce = false;
authorizationCodeClient.AllowedScopes = new List<string>();
authorizationCodeClient.AllowedScopes.Add(IdentityServerConstants.StandardScopes.OpenId);
authorizationCodeClient.AllowedScopes.Add(IdentityServerConstants.StandardScopes.Profile);
authorizationCodeClient.AllowedScopes.Add("api1");
authorizationCodeClient.AllowOfflineAccess = true;
authorizationCodeClient.RequireConsent = false;
clients.Add(authorizationCodeClient);
var codeClient = new Client();
codeClient.ClientId = "js";
codeClient.ClientName = "JavaScript Client";
codeClient.AllowedGrantTypes = GrantTypes.Code;
codeClient.RequirePkce = true;
codeClient.RequireClientSecret = false;
codeClient.RedirectUris = new List<string>();
codeClient.RedirectUris.Add("http://localhost:5003/callback.html");
codeClient.PostLogoutRedirectUris = new List<string>();
codeClient.PostLogoutRedirectUris.Add("http://localhost:5003/index.html");
codeClient.AllowedCorsOrigins = new List<string>();
codeClient.AllowedCorsOrigins.Add("http://localhost:5003");
codeClient.AllowedScopes = new List<string>();
codeClient.AllowedScopes.Add(IdentityServerConstants.StandardScopes.OpenId);
codeClient.AllowedScopes.Add(IdentityServerConstants.StandardScopes.Profile);
codeClient.AllowedScopes.Add("api1");
clients.Add(codeClient);
return clients;
}
我向IdentityServer4发出了请求,如下图所示:
显示一个弹出窗口:
如果使用username和登录password,我可以得到access_token。但是当我点击Google按钮时Account/Login,我什么也收不到access token。
这就是我得到的Visual Studio ouput:
IdentityServer4.EntityFramework.Stores.PersistedGrantStore:Debug: P+z5g2/MhMzrbCEGMZOgx06VKeB38F1yx/y3C08vZlo= found in database: False
IdentityServer4.Stores.DefaultAuthorizationCodeStore:Debug: authorization_code grant with value: 4/KQGa0Oj2BztGi86v5SbFD0oVvnXIV8dZWFAQS16O-tyFVOcZXWvRQbByFb18Hhco5SgmkAQtPvk1ZD8lY8eLN9Q not found in store.
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 338.1411ms 500 text/html; charset=utf-8
IdentityServer4.Validation.TokenRequestValidator:Error: Invalid authorization code{ code = 4/KQGa0Oj2BztGi86v5SbFD0oVvnXIV8dZWFAQS16O-tyFVOcZXWvRQbByFb18Hhco5SgmkAQtPvk1ZD8lY8eLN9Q }, details: {
"ClientId": "mvc",
"ClientName": "MVC Client",
"GrantType": "authorization_code",
"AuthorizationCode": "4/KQGa0Oj2BztGi86v5SbFD0oVvnXIV8dZWFAQS16O-tyFVOcZXWvRQbByFb18Hhco5SgmkAQtPvk1ZD8lY8eLN9Q",
"Raw": {
"grant_type": "authorization_code",
"code": "4/KQGa0Oj2BztGi86v5SbFD0oVvnXIV8dZWFAQS16O-tyFVOcZXWvRQbByFb18Hhco5SgmkAQtPvk1ZD8lY8eLN9Q",
"redirect_uri": "http://localhost:57547/signin-idsrv",
"client_id": "mvc",
"client_secret": "***REDACTED***"
}
}
我做错什么了吗?
谢谢。
红翼飞机
似乎被authorization_code授予不适合这种情况。当我更改authorization_code为hybrid授予时,它可以工作。
实际上,我更改了:
authorizationCodeClient.AllowedGrantTypes = new List<string>();
authorizationCodeClient.AllowedGrantTypes.Add(GrantType.AuthorizationCode);
至
authorizationCodeClient.AllowedGrantTypes = GrantTypes.Hybrid;
使用https://oidcdebugger.com/生成查询字符串:
神奇的是,我可以使用帐户和密码以及Google帐户登录系统。
希望这可以像我一样帮助某人卡在IdentityServer4中。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
编辑于
相关文章
TOP 榜单
- 1
隐藏发件人没有短信PHP
- 2
Hashchange事件侦听器在将事件处理程序附加到事件之前进行侦听
- 3
在浏览器中请求URL时会发生什么?
- 4
flask-admin 如何自定义删除按钮
- 5
材质UI垂直滑块。如何改变在垂直材料UI滑块导轨的厚度(反应)
- 6
用日期数据透视表和日期顺序查询
- 7
Jqgrid:多级别组摘要
- 8
java io ioexception无法解析服务器地址解析器的响应
- 9
Swift如何使用Base64Url编码JWT标头和有效负载之类的json对象
- 10
sshd AllowGroups组未授予访问权限
- 11
jQuery无限滚动固定div中的滚动
- 12
android 背部按下
- 13
Flexbox CSS 对齐属性环境惰性?
- 14
为什么随机森林中的平均降低基尼系数取决于人口规模?
- 15
ClickHouse 创建临时表
- 16
为什么PlusShare.Builder setRecipients方法不起作用?
- 17
如何在Android中识别MICR代码
- 18
PyQt4.QtCore模块无法向sip模块注册
- 19
正则表达式,用于查找所有以任何字母开头和数字开头的文件
- 20
是否可以通过编程方式对很多动画进行重新着色?
- 21
机器密钥生成
我来说两句