2

我能够在 RC1 中提取它。OpenIdConnectServerProvider已经发生了相当大的变化。

我对资源所有者流程感兴趣,所以我的 AuthorizationProvider 看起来像这样:

    public sealed class AuthorizationProvider : OpenIdConnectServerProvider
    {

        public override Task MatchEndpoint(MatchEndpointContext context)
        {
            if (context.Options.AuthorizationEndpointPath.HasValue &&
                context.Request.Path.StartsWithSegments(context.Options.AuthorizationEndpointPath))
            {
                context.MatchesAuthorizationEndpoint();
            }

            return Task.FromResult<object>(null);
        }

        public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
        {
            context.Validate();
            await Task.FromResult<object>(null);
        }

        public override async Task ValidateTokenRequest(ValidateTokenRequestContext context)
        {                
            if (!context.Request.IsAuthorizationCodeGrantType() &&
                !context.Request.IsRefreshTokenGrantType() &&
                !context.Request.IsPasswordGrantType())
            {
                context.Reject(
                    error: "unsupported_grant_type",
                    description: "Only authorization code, refresh token, and ROPC grant types " +
                                 "are accepted by this authorization server");
            }

            /* This is where the problem is. This context.Validate()
               will automatically return a 400, server_error, with
               message "An internal server error occurred."

               If I commented this out, I will get a 400, invalid_client.

               If I put in an arbitrary client like "any_client", it
               goes to GrantResourceOwnerCredentials, as I expect.
               However, I get a 500 with no explanation when it executes.
               See the function below for more details.
            */
            context.Validate();
            await Task.FromResult<object>(null);
        }

        public override Task HandleUserinfoRequest(HandleUserinfoRequestContext context)
        {                
            context.SkipToNextMiddleware();

            return Task.FromResult<object>(null);
        }

        public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
        {
             MYDbContext db = context.HttpContext.RequestServices.GetRequiredService<MyDbContext>();
             UserManager<MyUser> UM = context.HttpContext.RequestServices.GetRequiredService<UserManager<MyUser>>();

             MyUser user = await UM.FindByNameAsync(context.Request.Username);

             if (user == null)
             {
                context.Reject(
                   error: "user_not_found",
                   description: "User not found");

                return;
             }

             bool passwordsMatch = await UM.CheckPasswordAsync(user, context.Request.Password);

             if (!passwordsMatch)
             {
                 context.Reject(
                    error: "invalid_credentials",
                    description: "Password is incorrect");

                 return;
             }

             var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);

            identity.AddClaim(ClaimTypes.Name, user.UserName, "id_token token");

            /* I set the breakpoint on this line, and the execution
               does not hit this breakpoint. I immediately get a 500.
               My output says 'System.ArgumentException' in
               AspNet.Security.OpenIdConnect.Extensions.dll
            */
            List<string> roles = (await UM.GetRolesAsync(user)).ToList();

            roles.ForEach(role =>
            {
                identity.AddClaim(ClaimTypes.Role, role, "id_token token");
            });

            var ticket = new AuthenticationTicket(new ClaimsPrincipal(identity),
                                                  new AuthenticationProperties(),
                                                  context.Options.AuthenticationScheme);

            ticket.SetResources(new[] { "mlm_resource_server" });
            ticket.SetAudiences(new[] { "mlm_resource_server" });
            ticket.SetScopes(new[] { "defaultscope" });

            context.Validate(ticket);
        }
    }

顺便说一句,我正在尝试在 Fiddler 上运行它:

POST /token HTTP/1.1
Host: localhost:56785
Content-Type: application/x-www-form-urlencoded

username=user&password=pw&grant_type=password

当密码不正确时,我得到预期的 400 拒绝,但当密码正确时,我得到 500。

我错过了什么?我现在建立该用户身份的方式不正确吗?我应该覆盖另一个功能吗?

注意 - 我没有提供我的启动文件,因为我认为它无关紧要。如果绝对需要,我稍后会发布。

4

1 回答 1

1

如果您启用了日志记录,您将立即了解发生了什么:OpenID Connect 服务器中间件不允许您在请求client_id中缺少令牌请求时将令牌请求标记为“完全验证”:

if (context.IsValidated && string.IsNullOrEmpty(request.ClientId)) {
    Logger.LogError("The token request was validated but the client_id was not set.");

    return await SendTokenResponseAsync(request, new OpenIdConnectMessage {
        Error = OpenIdConnectConstants.Errors.ServerError,
        ErrorDescription = "An internal server error occurred."
    });
}

如果您想让客户端身份验证可选,请context.Skip()改为调用。

请注意,您的提供商有几个问题:

ValidateAuthorizationRequest不验证任何东西,这很糟糕,因为任何东西redirect_uri都会被认为是有效的(= 一个巨大的开放重定向缺陷)。幸运的是,由于您只对 ROPC 授权感兴趣,因此您可能不会实现任何交互式流程。我建议删除此方法(您也可以删除MatchEndpoint)。

您的初始授权签入ValidateTokenRequest是错误的,因为您在调用之后没有停止代码的执行context.Reject(),这最终导致context.Validate()被调用。

identity.AddClaim(ClaimTypes.Name, user.UserName, "id_token token")不再是有效的语法。ArgumentException可能是由此检查引起的:

if (destinations.Any(destination => destination.Contains(" "))) {
    throw new ArgumentException("Destinations cannot contain spaces.", nameof(destinations));
}

而是使用这个:

identity.AddClaim(ClaimTypes.Name, user.UserName,
    OpenIdConnectConstants.Destinations.AccessToken,
    OpenIdConnectConstants.Destinations.IdentityToken);

如果您仍然不确定您的提供商应该是什么样子,请不要犹豫,看看这些具体示例:

于 2016-06-09T01:12:23.990 回答