我遵循了Identity Server 4文档,在本地计算机上设置示例服务器。我的问题是,登录应用程序后,它卡在“ signin-oidc”页面上,并且日志指示404。我按照说明操作T,甚至删除了所有内容并重新开始。因此,根据http://docs.identityserver.io/en/latest/quickstarts/2_interactive_aspnetcore.html
上的文档,当前设置是一个准系统IdSvr4项目(is4inmem)和一个新的ASPNetCore MVC应用程序。我所做的唯一更改是将所有URL都更改为HTTP,并使用appsettings.json文件而不是Config类。由于我没有进行任何实质性的更改,因此我不知所措。
我的MVC的日志看起来像这样
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 GET https://localhost:44377/Home/Claims
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed.
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: oidc was challenged.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 559.8895ms 200 text/html;charset=UTF-8
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 POST https://localhost:44377/signin-oidc application/x-www-form-urlencoded 547
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 3.2205ms 404
虽然主IdSvr4项目的日志如下所示
[00:26:01 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Start authorize request protocol validation
[00:26:01 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client mvc succeeded.
[00:26:01 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Checking for PKCE parameters
[00:26:01 Debug] IdentityServer4.Validation.AuthorizeRequestValidator
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[00:26:01 Debug] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
ValidatedAuthorizeRequest
{"ClientId": "mvc", "ClientName": "MVC Client", "RedirectUri": "https://localhost:44377/signin-oidc", "AllowedRedirectUris": ["https://localhost:44377/signin-oidc"], "SubjectId": "88421113", "ResponseType": "code", "ResponseMode": "form_post", "GrantType": "authorization_code", "RequestedScopes": "openid profile", "State": "CfDJ8Pdtr1YS18ZOp7dIVYqa05dMp_XQH4T-n8WcLhu5aBGOHMMP_JTWt2I4pM0JjtxMBddtz5WSWy-rkrZTqXLwr-BllETJJds86UiTcvUvxfQ7cCvVoM5I-gofWE-LrKJlrdDnhC4ofF4MGMfNAdYvVmT7J9fCEWJzuAspiyK8KBXGWiCZhw77isVR1q3hu7s3cKCvcuNKMi2jww_tjdOi8IYdZ8vTTlmA6tL8NpWDZaY1J6mj1WUzess9FQ2Bc2maeSYy4NBKCfPIITLq4aiHmCVb97itGJsIbImHQm2cTo43B_m7rYIPq-RHtGAgXU6l81mIMwmxjhJhsfhH28KExQitCgPNewh9ltpLgumr4Zm49TuUMubYy6L6sYM7jzeekA", "UiLocales": null, "Nonce": "637086795594073564.YWI5YWMzMTgtZjU0Ni00YjI5LTg1ZTMtOGViN2JjYjgwY2YxYzAxZTY2YzQtMjg2Yy00YjkyLWE0ZGYtODYzNDA1NWIwYWY5", "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": "k6AJ_-EdagzerxIIl6oQmA", "Raw": {"client_id": "mvc", "redirect_uri": "https://localhost:44377/signin-oidc", "response_type": "code", "scope": "openid profile", "code_challenge": "sHPH6r59Ij8Iap6esr_3opZrue72ZdOVxBg-20IQMs4", "code_challenge_method": "S256", "response_mode": "form_post", "nonce": "637086795594073564.YWI5YWMzMTgtZjU0Ni00YjI5LTg1ZTMtOGViN2JjYjgwY2YxYzAxZTY2YzQtMjg2Yy00YjkyLWE0ZGYtODYzNDA1NWIwYWY5", "state": "CfDJ8Pdtr1YS18ZOp7dIVYqa05dMp_XQH4T-n8WcLhu5aBGOHMMP_JTWt2I4pM0JjtxMBddtz5WSWy-rkrZTqXLwr-BllETJJds86UiTcvUvxfQ7cCvVoM5I-gofWE-LrKJlrdDnhC4ofF4MGMfNAdYvVmT7J9fCEWJzuAspiyK8KBXGWiCZhw77isVR1q3hu7s3cKCvcuNKMi2jww_tjdOi8IYdZ8vTTlmA6tL8NpWDZaY1J6mj1WUzess9FQ2Bc2maeSYy4NBKCfPIITLq4aiHmCVb97itGJsIbImHQm2cTo43B_m7rYIPq-RHtGAgXU6l81mIMwmxjhJhsfhH28KExQitCgPNewh9ltpLgumr4Zm49TuUMubYy6L6sYM7jzeekA"}, "$type": "AuthorizeRequestValidationLog"}
[00:26:01 Debug] IdentityServer4.Test.TestUserProfileService
IsActive called from: AuthorizeEndpoint
[00:26:01 Debug] IdentityServer4.Stores.DefaultUserConsentStore
user_consent grant with value: mvc|88421113 not found in store.
[00:26:01 Debug] IdentityServer4.Services.DefaultConsentService
Found no prior consent from consent store, consent is required
[00:26:01 Information] IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator
User consented to scopes: ["openid", "profile"]
[00:26:01 Debug] IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator
User indicated to remember consent for scopes: ["openid", "profile"]
[00:26:01 Debug] IdentityServer4.Services.DefaultConsentService
Client allows remembering consent, and consent given. Updating consent store for subject: 88421113
[00:26:01 Debug] IdentityServer4.ResponseHandling.AuthorizeResponseGenerator
Creating Authorization Code Flow response.
[00:26:01 Information] IdentityServer4.Events.DefaultEventService
{"ClientId": "mvc", "ClientName": "MVC Client", "RedirectUri": "https://localhost:44377/signin-oidc", "Endpoint": "Authorize", "SubjectId": "88421113", "Scopes": "openid profile", "GrantType": "authorization_code", "Tokens": [{"TokenType": "code", "TokenValue": "****MUrA", "$type": "Token"}], "Category": "Token", "Name": "Token Issued Success", "EventType": "Success", "Id": 2000, "Message": null, "ActivityId": "0HLR322N3G5DT:00000017", "TimeStamp": "2019-11-06T23:26:01.0000000Z", "ProcessId": 3312, "LocalIpAddress": "::1:44374", "RemoteIpAddress": "::1", "$type": "TokenIssuedSuccessEvent"}
[00:26:01 Debug] IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
Authorize endpoint response
{"SubjectId": "88421113", "ClientId": "mvc", "RedirectUri": "https://localhost:44377/signin-oidc", "State": "CfDJ8Pdtr1YS18ZOp7dIVYqa05dMp_XQH4T-n8WcLhu5aBGOHMMP_JTWt2I4pM0JjtxMBddtz5WSWy-rkrZTqXLwr-BllETJJds86UiTcvUvxfQ7cCvVoM5I-gofWE-LrKJlrdDnhC4ofF4MGMfNAdYvVmT7J9fCEWJzuAspiyK8KBXGWiCZhw77isVR1q3hu7s3cKCvcuNKMi2jww_tjdOi8IYdZ8vTTlmA6tL8NpWDZaY1J6mj1WUzess9FQ2Bc2maeSYy4NBKCfPIITLq4aiHmCVb97itGJsIbImHQm2cTo43B_m7rYIPq-RHtGAgXU6l81mIMwmxjhJhsfhH28KExQitCgPNewh9ltpLgumr4Zm49TuUMubYy6L6sYM7jzeekA", "Scope": "openid profile", "Error": null, "ErrorDescription": null, "$type": "AuthorizeResponseLog"}
客户端的配置是这个
{
"ClientId": "mvc",
"ClientName": "MVC Client",
// 49C1A7E1-0C79-4A89-A3D6-A37998FB86B0
"ClientSecrets": [ { "Value": "o90IbCACXKUkunXoa18cODcLKnQTbjOo5ihEw9j58+8=" } ],
"AllowedGrantTypes": [ "client_credentials", "authorization_code" ],
"RequirePkce": true,
"AllowedScopes": [ "openid", "profile", "api1" ],
"AllowOfflineAccess": true,
"RedirectUris": [ "https://localhost:44377/signin-oidc" ],
"FrontChannelLogoutUris": [ "https://localhost:44377/signout-oidc" ],
"PostLogoutRedirectUris": [ "https://localhost:44377/signout-callback-oidc" ]
},
和客户端启动看起来像这样
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.AddAuthentication(opt =>
{
opt.DefaultScheme = "Cookies";
opt.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", opt =>
{
opt.Authority = "https://localhost:44374";
opt.RequireHttpsMetadata = true;
opt.ClientId = Configuration["OIDC:ClientId"];
opt.ClientSecret = Configuration["OIDC:Secret"];
opt.ResponseType = "code";
opt.SaveTokens = true;
opt.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints
.MapDefaultControllerRoute()
.RequireAuthorization();
});
}
似乎您忘记了在UseAuthentication()方法中添加对Startup.Configure的调用。这个中间件是实现回调到例如/signin-oidc由您的客户端应用程序处理:
app.UseRouting();
app.UseAuthentication(); // <-- Add it here.
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints
.MapDefaultControllerRoute()
.RequireAuthorization();
});
在您参考的指南中已提及:
然后为了确保对每个请求执行身份验证服务,请将
UseAuthentication添加到Configure中的Startup: