1. 技术文章
  2. Asp.net core 2.1 OpenIdConnectOptions with scope doesn't work

Asp.net core 2.1 OpenIdConnectOptions with scope doesn't work

℡╲_俬逩灬. 提交于 2019-12-11 00:11:59

问题


Please tell me why I can not add any scope to OpenIdConnectOptions? It doesn't work with an ASP.NET Core MVC client, but with a js client it works fine!

My code...

IdentityServer4 Client registration

public static IEnumerable<Client> GetClients()
{
    return new List<Client>
    {
        new Client
        {
          ClientId = "web",
          ClientName = "Web Client",
          AllowedGrantTypes = GrantTypes.Implicit,
          AllowAccessTokensViaBrowser = true,
          AlwaysIncludeUserClaimsInIdToken = true,
          RedirectUris = {"http://localhost:5002/signin-oidc"},
          PostLogoutRedirectUris = {"http://localhost:5002/signout-callback-oidc"},
          AllowedCorsOrigins = {"http://localhost:5002"},
          AllowedScopes =
            {
              IdentityServerConstants.StandardScopes.OpenId,
              IdentityServerConstants.StandardScopes.Profile,
              "api1"
            },
          AccessTokenLifetime = 300,
          IdentityTokenLifetime = 3600,
          AllowOfflineAccess = true,
        }
    };
}

Next, I add code to the mvc client to use authorization.

Mvc client

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

services.AddAuthorization(options =>
                options.AddPolicy("AdminsOnly", policyUser => 
                       { policyUser.RequireClaim("role", "admin"); }));

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
    options.SignInScheme = "Cookies";

    options.Authority = "http://localhost:5000";
    options.RequireHttpsMetadata = false;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.Scope.Add("api1");

    options.ClientId = "web";
    options.SaveTokens = true;
});

When I try to switch to an action marked with the [authorize] attribute, I get an error

Sorry, there was an error : invalid_scope.

If I delete the line options.Scope.Add("api 1"); then the authentication works. But in this case I can not specify roles and more...

The project can be downloaded here


回答1:


Add this line to your MVC client's AddOpenIdConnect options to request an identity token and access token:

                    options.ResponseType = "id_token token";

Your JS client is asking for an identity token and an access token whereas the MVC client is only asking for an identity token and resource scopes are not allowed in identity tokens. See http://docs.identityserver.io/en/release/endpoints/authorize.html:

id_token requests an identity token (only identity scopes are allowed)

token requests an access token (only resource scopes are allowed)



来源:https://stackoverflow.com/questions/52033154/asp-net-core-2-1-openidconnectoptions-with-scope-doesnt-work

标签
c#
asp.net-core
identityserver4
openid-connect
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!