问题
I'm having a Client in my IdentityServer3
new Client
{
ClientName = "Client Credentials Flow Client With Certificate",
Enabled = true,
ClientId = "cc.WithCertificate",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29",
Type = Constants.SecretTypes.X509CertificateThumbprint,
Description = "Client Certificate"
},
},
AllowedScopes = new List<string>
{
"read"
}
},
In Client Windows Form application I'm using "Client.pfx" downloaded from the URL https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Clients/ClientCertificateConsoleClient/Client.pfx
The Client Certificate has the ThumbPrint
Thumbprint = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29"
The Client Code is
var cert = new X509Certificate2("Client.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
string tokenEndPoint = ConfigurationManager.AppSettings["TokenEndpoint"];
var client = new TokenClient(
tokenEndPoint,
"cc.WithCertificate",
handler);
// Calling the Token Service
var response = client.RequestClientCredentialsAsync("read").Result;
I did the configuration as specified in https://identityserver.github.io/Documentation/docsv2/advanced/clientCerts.html
<location path="core/connect/token">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
</security>
</system.webServer>
</location>
Initially its gives me the Internal Server Error, later I changed the following mode to "Allow"
File Path: C:\Windows\System32\inetsrv\config\applicationHost.config
<section name="access" overrideModeDefault="Deny" />
to
<section name="access" overrideModeDefault="Allow" />
Later its the response is coming with an Error Status Code: response.Error ="Forbidden"
Here with I have attached the Snapshot of Response Object
Kindly assist me how to fix this issue and get the AccessToken using ClientCertificate.
回答1:
You are using the "Client.pfx" Certificate in the Client side and your are passing the same to the IdentityServer through HTTP Request.
The said certificate has a Root Certificate namely "DevRoot", it should be in the said Trusted Root Certification Authorities otherwise the IIS should not allow the request and return back with status code 403 Forbidden.
Kindly have a look into the snapshot and it shows the information of "Client.pfx"
So, ensure the "DevRoot" is installed in the "Trusted Root Certification Authorities"
If not there kindly download the "DevRoot.cer" and Import the same in the said path (i.e., Trusted Root Certification Authorities).
DevRoot.cer download URL: https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/Certificates/DevRoot.cer
来源:https://stackoverflow.com/questions/42803108/response-error-forbidden-in-identityserver3-flows-clientcredentials