我正在尝试使用IdentityServer3和Client Credential流程 Build 一个简单的示例 . 该示例包含一个控制台客户端,该客户端使用从IdentityServer接收的令牌调用Web API资源 . Web API和IdentityServer托管在IIS中 .
我设法通过以下方式从IdentityServer获取令牌:
var client = new TokenClient(
"https://machine+domain/WebHostedId3/connect/token",
"client",
"secret");
但是当我尝试使用以下方法调用Web API时:
var client = new HttpClient();
client.SetBearerToken(token);
var response = client.GetStringAsync("http://localhost/WebHostedApi/api/products").Result;
我收到401(响应状态代码不表示成功:401(未授权) .
IdentityServer的设置如下:
public class Clients
{
public static List<Client> Get()
{
return new List<Client>
{
new Client
{
ClientName = "Client Credentials Flow Client",
Enabled = true,
ClientId = "client",
AccessTokenType = AccessTokenType.Reference,
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
Flow = Flows.ClientCredentials,
AllowedScopes = new List<string>
{
"api"
}
}
};
}
}
public class Scopes
{
public static IEnumerable<Scope> Get()
{
return new[]
{
new Scope
{
Name = "api",
DisplayName = "API Scope",
Type = ScopeType.Resource,
Emphasize = false
}
};
}
}
public class Startup
{
public void Configuration(IAppBuilder appBuilder)
{
Log.Logger = new LoggerConfiguration()
.WriteTo.Trace(outputTemplate: "{Timestamp} [{Level}] ({Name}){NewLine} {Message}{NewLine}{Exception}")
.CreateLogger();
var factory = new IdentityServerServiceFactory()
.UseInMemoryUsers(new System.Collections.Generic.List<InMemoryUser>())
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get());
var options = new IdentityServerOptions
{
Factory = factory,
};
appBuilder.UseIdentityServer(options);
}
}
Web API:
public static class WebApiConfig
{
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultRouting",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
// require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
return config;
}
}
public class Startup
{
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.WriteTo.Trace(outputTemplate: "{Timestamp} [{Level}] ({Name}){NewLine} {Message}{NewLine}{Exception}")
.CreateLogger();
app.UseIdentityServerBearerTokenAuthentication(
new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "machine+domain:443",
ValidationMode = ValidationMode.ValidationEndpoint,
RequiredScopes = new[] { "api" }
});
app.UseWebApi(WebApiConfig.Register());
}
}
用于SSL的证书是使用IIS创建自签名证书功能创建的,并连接到IdentityServer的https绑定 . 除了“响应状态代码未指示成功:401(未授权)”异常外,我找不到更多详细信息 . IdentityServer的日志看起来不错 . 非常感谢帮助 .
3 回答
我知道回复很晚 . 尝试更新所有nugets,尤其是Newtonsoft.Json到8.0.3
对于非常晚的响应感到抱歉,但如果您在IdentityServer中启用完整日志记录,它几乎可以告诉您问题所在 .
更改
至
然后,您将看到很多很棒的调试信息,可以告诉您出了什么问题 .
在WebAPI配置中,在
IdentityServerBearerTokenAuthenticationOptions中,属性Authority的值不正确 . 它必须是IdentityServer实例的基URI,即https://localhost/WebHostedId3,而不仅仅是localhost,而不是localhost:443.考虑到IdentityServer3默认需要TLS,那么您需要指定
httpsscheme而不仅仅是http.因此,只要您的IdentityServer基本URI是
https://localhost/WebHostedId3,那么正确的设置将如下所示