2

我正在使用 Fiddler 向我们的OpenID Connect Identity Server发出以下请求。

POST http://localhost:50000/connect/token HTTP/1.1
User-Agent: Fiddler
Host: localhost:50000
Content-Length: 73
Content-Type: application/x-www-form-urlencoded

grant_type=password&username=my_username&password=my_password&nonce=12345

OpenID Connect 身份服务器使用此响应进行回复。

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 2136
Content-Type: application/json;charset=UTF-8
Expires: -1
Server: Microsoft-IIS/10.0
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcQmlnRm9udFxEb2N1bWVudHNcR2l0SHViXEFzcE5ldC5TZWN1cml0eS5PcGVuSWRDb25uZWN0LlNlcnZlclxzYW1wbGVzXFJlc291cmNlT3duZXJQYXNzd29yZEZsb3dcd3d3cm9vdFxjb25uZWN0XHRva2Vu?=
X-Powered-By: ASP.NET
Date: Fri, 26 Jun 2015 17:49:39 GMT

{"token_type":"bearer","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1MkM1RTQyMTVDRDBDMUUxNTA1RTA4RTZBRjNBREJFRkJGRDc4MjIifQ.eyJuYW1laWQiOiJDbGFpbVR5cGVzLk5hbWVJZGVudGlmaWVyIiwidW5pcXVlX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjUwMDAwLyIsImV4cCI6MTQzNTM0NDU3OSwibmJmIjoxNDM1MzQwOTc5fQ.Yp79C1xpfDb21iR0O7pkuQIrSp539Qf8zWlZGAZveYEs7IEiE9vepK39mMFM5UpVPSgxwtEeig4O1eHSDDJayQEXN1Q1nOqWJtww6I8mlBGmx0YQSQLmV3saTKEhs6Y4VNBe5A9X9xiWURkZhrTRS_SxkztibYZ8XlkcVUQ6OZeDx9OVdXpYl8R3B6deymBDDADWichKrkDhb4lhpOFrUrmloBR-A4Zya4luh2h33_3D3XgtJf9mtGvmrisTWPK2JLbpVkRIOMZQ2j_F7Azo1rl0UXaQ5OIe2M3iR7QyHCz92_YvwT-0gMkSv4uf-_CO5xj1gy8GwpJi0_4oG7BXaA","id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjA1MkM1RTQyMTVDRDBDMUUxNTA1RTA4RTZBRjNBREJFRkJGRDc4MjIifQ.eyJuYW1laWQiOiJDbGFpbVR5cGVzLk5hbWVJZGVudGlmaWVyIiwidW5pcXVlX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UiLCJpYXQiOiIxNDM1MzQwOTc5IiwiYXRfaGFzaCI6InBvRG12TVcwbWN6clhMY3RLNUNkd1EiLCJub25jZSI6IjEyMzQ1Iiwic3ViIjoiQ2xhaW1UeXBlcy5OYW1lSWRlbnRpZmllciIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMDAvIiwiZXhwIjoxNDM1MzQyMTc5LCJuYmYiOjE0MzUzNDA5Nzl9.kFo9AcB0mB-ol9PtelRkqh0hW34iYPxnHV0kOeRztdngffsV7rK5xwZqhWVRr_UHKaE-368BCmRgxNGApNeAaCzgYqGoXlDWI-9pd4xfpnohuWW7I83dupArk8xPdTBU_ulHAYwIRWzQilCt9vwEtHLBDLdaS_DkuTAR-fEl95ARC7xoBvpsiQAZs2Tk03s0TJVU0mp9FPv7igxOjyyyRPuCZyXO8FQE-AobsNMjPjrXILfwttpsJYXr8A-HyZtxtLkNl_lHhIcCxWmSvIFrMq7qRRKHh_nQWHHuL1PGGeHiNpsfXA7AsU1XjIx4Q6q6dYWBRT_tKm8b_NjkYAIDDQ","refresh_token":"CfDJ8FNfFcvZnUZCl--dx0lsB1d2NUScvcEhi5sOoCFE4aNgAUHW8ieHtSuA0d13DtiYnpVoO03v5eRRMvyUAVWN9X51544obo4kd5XQJX6bLD3XnPlPs8Fn0n1e-b1RVlQ8NW56bHrJDcSTxiGgzikwAOdmBlCc7K6-NCttTjK_ktQEd_sFsAS77Wb8t5g-bZWMJRWuSnQPFhrUyw3HoFXiP2qkFLTRU6alOud9usRB3Tq_UtxVsVanBtqCmsW07puKqiTuOjBhau0jX9GlWfHa1ZsvncgsaHS3FIoHGPaRXyYqABtIUbPUWfRJRoL0OihSm0wLLZPrYSwNVMWRp8Wb6ClOxZtaWxpJmF7BaTDyu3BOjDf-AUIDTVHDDPYtA8SUlWXlPXm6ekeOzGHCA9J8Ri-TRxaAW_LWdn1C2H44W6TLCxGEzsLn53M8IAnMqAEGr6eTCxN6jaffsKhXVlqbtXnSjg9nYsxvKHOPQmmiIRFGpuohoPzNHbxxaurFEabAMLegi21xVTi15RoGs-xtfrnl7x8WH834IlYh6E-D_8rLP0zg81HO8QoKqnEtFZlTfNrZsdGx7lka5IO9MRtiPyVtWQNZN9fJPCASRYngEtQV","expires_in":"3599"}

id_token包含此信息。

{
 nameid: "ClaimTypes.NameIdentifier",
 iat: "1435340979",
 at_hash: "poDmvMW0mczrXLctK5CdwQ",
 nonce: "12345",
 sub: "ClaimTypes.NameIdentifier",
 iss: "http://localhost:50000/",
 exp: 1435342179,
 nbf: 1435340979
}

我们ClaimType.NameIdentifier暂时用作占位符文本。因此,请求/响应成功,并且身份服务器为依赖方提供了一个id_tokenaccess_token

我们的问题是,当我们的请求不满足此处列出的 OpenID Connect 身份验证请求要求时,如何才能成功。也就是说,我们正在执行规范似乎未涵盖的用户名密码流程。

我怀疑这只是意味着我们对 OpenID Connect 身份提供程序的实现还没有完成。是对的吗?这里发生了什么?

4

1 回答 1

3

您的 OpenID Connect 提供程序的实现超出了 OpenID Connect 规范中明确指定的范围。OpenID Connect 中没有明确定义资源所有者密码凭证授权,但实现可以从 OAuth 2.0 继承该授权。如果它在 OpenID Connect 中被标准化,它肯定需要其中的scopewith 值openid以及client_id.

所以这是 OpenID Connect 的非标准扩展授权实现。尽管如果它支持核心 OpenID Connect 规范的必需元素,那么实现可能仍然是完整的。

请注意,资源所有者密码凭据授予违背了联合 SSO 协议的要点,即依赖方无法查看或处理用户凭据。这就是为什么它在 OpenID Connect 中没有标准化,并且是 OAuth 2.0 的一部分,“仅用于迁移目的”。

于 2015-06-26T18:37:41.887 回答