问题
Hi i am using identity server 4 and i created a client which is protected using client_credentials
I am able to retrieve a token using the clientid and secret, and according to jwt.io the expiry of the access token is 3600 seconds or (1 hour)
on the net core 2.2 api i have a custom AuthorizationHandler
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ClientCredentialRequirement requirement)
{
if (requirement.AllowedClients != null && requirement.AllowedClients.Any()) {
if (context.User.Identity.IsAuthenticated) { // this is false
context.Succeed(requirement);
return Task.CompletedTask;
}
should this return false when using client credentials? i was expecting it to be true since the token is valid
回答1:
SO i figured it out.
Turns out that the fact that the app is a fully functioning "idserver" plus "mvc web site" already configured with cookie authentication was causing me issues.
The requests to the api had no claims because the Bearer authentication scheme wasn't being used to handle the request.
I had to add this to the api controller for it to work as expected.
[Authorize(AuthenticationSchemes = "Bearer")]
public class MixedController : Controller
as detailed here
now even when using client credentials the User.Identity claims are now populated with the claims and scopes from the token, and the User is shown as Authenticated = true
来源:https://stackoverflow.com/questions/60462057/using-client-credentials-flow-on-identityserver4-and-custom-authorizationhandler