带范围的Asp.net核心2.1 OpenIdConnectOptions不起作用

本文介绍了带范围的Asp核心2.1 OpenIdConnectOptions不起作用的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

请告诉我为什么我不能向OpenIdConnectOptions添加任何作用域?它不适用于ASP.NET Core MVC客户端，但适用于js客户端，可以正常工作！

Please tell me why I can not add any scope to OpenIdConnectOptions? It doesn't work with an ASP.NET Core MVC client, but with a js client it works fine!

我的代码...

IdentityServer4 客户端注册

public static IEnumerable<Client> GetClients() { return new List<Client> { new Client { ClientId = "web", ClientName = "Web Client", AllowedGrantTypes = GrantTypes.Implicit, AllowAccessTokensViaBrowser = true, AlwaysIncludeUserClaimsInIdToken = true, RedirectUris = {"localhost:5002/signin-oidc"}, PostLogoutRedirectUris = {"localhost:5002/signout-callback-oidc"}, AllowedCorsOrigins = {"localhost:5002"}, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "api1" }, AccessTokenLifetime = 300, IdentityTokenLifetime = 3600, AllowOfflineAccess = true, } }; }

接下来，我将代码添加到mvc客户端以使用授权.

Next, I add code to the mvc client to use authorization.

Mvc客户端

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); services.AddAuthorization(options => options.AddPolicy("AdminsOnly", policyUser => { policyUser.RequireClaim("role", "admin"); })); services.AddAuthentication(options => { options.DefaultScheme = "Cookies"; options.DefaultChallengeScheme = "oidc"; }) .AddCookie("Cookies") .AddOpenIdConnect("oidc", options => { options.SignInScheme = "Cookies"; options.Authority = "localhost:5000"; options.RequireHttpsMetadata = false; options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("api1"); options.ClientId = "web"; options.SaveTokens = true; });

当我尝试切换到标有[authorize]属性的操作时，出现错误

When I try to switch to an action marked with the [authorize] attribute, I get an error

对不起，出现错误:invalid_scope.

Sorry, there was an error : invalid_scope.

如果我删除行options.Scope.Add("api 1");，则身份验证有效.但是在这种情况下，我无法指定角色以及更多...

If I delete the line options.Scope.Add("api 1"); then the authentication works. But in this case I can not specify roles and more...

可以在此处下载该项目

The project can be downloaded here

推荐答案

将此行添加到MVC客户端的AddOpenIdConnect选项中，以请求身份令牌和访问令牌:

Add this line to your MVC client's AddOpenIdConnect options to request an identity token and access token:

options.ResponseType = "id_token token";

您的JS客户端要求一个身份令牌和一个访问令牌，而MVC客户端仅要求一个身份令牌和资源身份令牌中不允许使用范围.请参见 docs.identityserver.io/en/release/endpoints/authorize .html :

Your JS client is asking for an identity token and an access token whereas the MVC client is only asking for an identity token and resource scopes are not allowed in identity tokens. See docs.identityserver.io/en/release/endpoints/authorize.html:

id_token请求一个身份令牌(仅允许身份范围)

id_token requests an identity token (only identity scopes are allowed)

令牌请求访问令牌(仅允许资源作用域)

token requests an access token (only resource scopes are allowed)