我试图设置WSO2 Identity Server以使用OpenId连接 . 我目前应用了以下设置Here: Setup WSO2 .
它归结为我使用Resident Identity Provider并为我的应用程序“CoolApp”设置了服务提供程序 .
我配置了“OAuth / OpenID Connect Configuration”并设置了回调URL .
有一个简单的例子如何在javascript中使用它?
我玩过identityserver3,他们有一个客户端oidc-client.js,可以很好地与identityserver3结合使用 . 但是我似乎无法使用WSO2身份服务器 .
我以错误的方式解决了这个问题,我真正想要的是使用owin中间件保护我的网站,就像他们尝试here和here一样 .
所以现在我有以下内容:
app.SetDefaultSignInAsAuthenticationType("ClientCookie");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "ClientCookie",
CookieName = CookieAuthenticationDefaults.CookiePrefix + "ClientCookie",
ExpireTimeSpan = TimeSpan.FromMinutes(5)
});
// ***************************************************************************
// Approach 1 : ResponseType = "id_token token"
// ***************************************************************************
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
Authority = " https://localhost:9443/oauth2/",
ClientId = "fgx4M5e27NJqgRIs8nu5aL7Jw3oa",
ClientSecret = "dwGdRDCFY7Soa7CB5K5smkiuMmYa",
RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
ResponseType = "id_token token",
Scope = "openid",
Configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint = "https://localhost:9443/oauth2/authorize",
TokenEndpoint = "https://localhost:9443/oauth2/token",
UserInfoEndpoint = "https://localhost:9443/oauth2/userinfo",
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var token = n.ProtocolMessage.AccessToken;
// persist access token in cookie
if (!string.IsNullOrEmpty(token))
{
n.AuthenticationTicket.Identity.AddClaim(
new Claim("access_token", token));
}
return Task.FromResult(0);
},
AuthenticationFailed = notification =>
{
if (string.Equals(notification.ProtocolMessage.Error, "access_denied", StringComparison.Ordinal))
{
notification.HandleResponse();
notification.Response.Redirect("/");
}
return Task.FromResult<object>(null);
}
}
});
我在SecurityTokenValidated和AuthenticationFailed中设置了一个断点 . 转到页面,我按预期重定向到WSO2身份服务器 . 当我登录并返回页面时,我的两个断点都没有被击中而且我没有登录 .
我正在使用WSO2 Identity Server 5.1.0 .
@farasath,你能帮助我和其他人看起来我们都遇到了同样的问题,还没有找到解决方案 .
在进一步调查期间,我发现使用带有response_type = "code"的代码流也不会起作用,因为OIDC中间件不支持它(参见here和here) .
发现@pinpoint建议ASP.net核心支持这一点 . 但这不是一个真正的选择 .
@Hos回答here:
使用WSO2 Identity Server 5.0.0 OpenID Connect“id_token”响应类型未实现 .
我没有收到他在帖子中提到的错误回复,但是我使用这些版本的结果保持不变,断点永远不会被击中 . 所以现在我想知道这应该在5.1.0或5.2.0-Beta中实际工作还是仍然是WIP .
@farasath,谢谢你的答复,这里是日志
[2016-08-16 08:11:39,998] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:11:40,074] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:11:50,948] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond@carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:11:50,967] INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The default OAuth token issuer will be used. No custom token generator is set.
[2016-08-16 08:11:50,985] INFO {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Thread pool size for session persistent consumer : 100
[2016-08-16 08:11:50,991] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token context persist consumer is started
... This one repeats about 100 times ...
[2016-08-16 08:11:51,031] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} - Successfully created AppInfoCache under OAuthCacheManager
[2016-08-16 08:11:51,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:11:52,180] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No active access token found in cache for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond@carbon.super and Scope : openid
[2016-08-16 08:11:52,199] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No access token found in database for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond@carbon.super and Scope : openid. Therefore issuing new access token
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token Data persisting Task is started to run
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Persisted Access Token for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorized User : raymond@carbon.super, Timestamp : 2016-08-16 08:11:52.207, Validity period (s) : 3600, Scope : openid, Callback URL : http://localhost:57815/, Token State : ACTIVE and User Type : APPLICATION_USER
[2016-08-16 08:11:52,233] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token was added to OAuthCache for cache key : fgx4M5e27NJqgRIs8nu5aL7Jw3oa:raymond@carbon.super:openid
[2016-08-16 08:11:52,298] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
第二次我运行它我得到这个日志:
[2016-08-16 08:30:17,216] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:30:17,222] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:30:23,178] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond@carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:30:23,189] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:30:23,195] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Retrieved active Access Token for Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID :raymond@carbon.super and Scope : openid from cache
[2016-08-16 08:30:23,203] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token is valid for another 3264638ms
[2016-08-16 08:30:23,218] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
现在我将我的重定向uri更改为:RedirectUri =“http://localhost:57815/Account/ExternalLoginCallback/”,
并且该函数中的logInfo始终为null var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
谷歌搜索并发现this post有人遇到类似的问题 .
使用Fiddler来查看回调看起来像已设置的cookie
所以现在我离开了以下情况:
-
SecurityTokenValidated中的断点从未命中
-
AuthenticationFailed中的断点从未命中
-
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();在我的回调中始终为null
2 回答
原因是OWIN中间件期望OAUTH 2.0表单后响应模式[1]中的OAUTH响应,这是一个可选规范,只有Identity Server 5.2.0(带补丁)向上支持这一点 .
[1] http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
AFAIK我们没有您可以直接使用的Javascript示例 . 但那应该不是问题 . 我通过谷歌搜索来找到[1] . 您需要做的就是替换client_id和回调URL . 由于我们遵循OAuth / OpenID连接规范,因此任何OAuth Javascript客户端库都应与WSO2 Identity Server配合使用 .
我们确实有一个Web应用程序示例[2],之前我写了一篇博客文章[3],以演示使用WSO2 Identity Server的授权代码流程 .
[1] https://github.com/zalando/oauth2-client-js
[2] https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground
[3] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html