0

我有一个 IdentityServer4 实现,它有一个默认的内部 OIDC OpenIdConnect 中间件,以提供对本地 API 的访问并支持外部登录提供程序,从 Microsoft 开始。我已经实现了一个自定义 IClientStore 并将其附加到中间件

   .AddClientStore<IS4ClientStore>();

当内部 OIDC 隐式连接身份验证时,IS4ClientStore.FindClientByIdAsync 由 BuildLoginViewModelAsync 调用,如示例

 _clientStore.FindEnabledClientByIdAsync(context.ClientId);

它返回预期的 IdentityServer4.Client 并且一切都经过身份验证等。

当我调用外部提供商 (Microsoft OAuth) 时,它会通过身份验证过程连接到我提供的 applicationid,通过 Microsoft 的声明过程,然后 Microsoft 重定向回https://localhost:5001/signin-microsoft

启动时调用 services.AddAuthentication().AddMicrosoftAccount(options) 的 asp.net 核心中间件没有使用我的客户端存储来查找客户端 ID,它只是报告错误:

 Request starting HTTP/1.1 GET https://localhost:5001/signin-microsoft?code=M91ae2ef1-701d-ceb4-d479-a905d3d02a4d&state=CfDJ8GGNLFmYOI9KouhmbB3NzeJ5omhARPg-YVCPW7u1aCyhnGfOx9_Nj4VL8cMIxmO48nk_8UkfB9Pv7Q7tzZZb8nsq5y26giY9fXuVyRsn5qx8a1nSX8tKFWk1uo9ongL5V0MXY6sgU6eNUEzsxgyNFz_20QLVU20y9G7jRpmxoOcpQ1s1SJx0Tu2BBlRrI840-D-jUmg1ix7xDUfmXF_rPVp6e88rzIuCfbQO4otNq2fAsm4
info: Microsoft.AspNetCore.Authentication.MicrosoftAccount.MicrosoftAccountHandler[4]
      Error from RemoteAuthentication: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
      Pragma: no-cache
      Strict-Transport-Security: max-age=31536000; includeSubDomains
      X-Content-Type-Options: nosniff
      x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
      P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
      Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
      Date: Thu, 31 Jan 2019 08:43:04 GMT
      ;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};.
fail: Microsoft.AspNetCore.Server.Kestrel[13]
      Connection id "0HLK7ARJEPT98", Request id "0HLK7DAJEPT98:00000005": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login. ---> System.Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Cache-Control: no-cache, no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
x-ms-request-id: 759b3046-cbad-489d-98c1-6e83bb390b00
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: fpc=AZFdz4kBW-ZHi5twlc6DCrARHQUSAQDQZKAdWIfWCA; expires=Sat, 02-Mar-2019 08:43:04 GMT; path=/; secure; HttpOnly, x-ms-gateway-slice=prod; path=/; secure; HttpOnly, stsservicecookie=ests; path=/; secure; HttpOnly
Date: Thu, 31 Jan 2019 08:43:04 GMT
;Body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '000000005D256100' was not found in the directory '9188040d-6c67-4c5b-b112-36a304b66dad'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: 759b3046-cbad-489d-98c1-6e83bb390b00\r\nCorrelation ID: 858c340d-7c0c-4fa9-86c2-f8417e5915f1\r\nTimestamp: 2019-01-31 08:43:04Z","error_codes":[700016],"timestamp":"2019-01-31 08:43:04Z","trace_id":"759b3046-cbad-489d-98c1-6e83bb390b00","correlation_id":"858c340d-7c0c-4fa9-86c2-f8417e5915f1"};
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in C:\local\identity\server4\IdentityServer4\src\Hosting\FederatedSignOut\AuthenticationRequestHandlerWrapper.cs:line 38
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\local\identity\server4\IdentityServer4\src\Hosting\BaseUrlMiddleware.cs:line 36
   at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 476.3734ms 500

我应该使用 IdentityServer4 中的 AddMicrosoftAccount 实现吗?

4

1 回答 1

0

感谢 Jim & Mackie 为我指明了正确的方向(我认为这是由于我这边的自定义商店实施问题)

当我在https://apps.dev.microsoft.com/#/appList页面上验证我是否拥有正确的客户端 ID 和密码时,我注意到一个链接可以转到 azure 门户以管理我的应用程序。(https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade)当我转到那个链接时,我以前没有显示的应用程序,所以我只是创建了一个新应用程序并获得了一个新的 ApplicationId (这是现在是一个 guid,而不是通过门户进入)和 Secret,将其插入 .AddMicrosoftAccount 调用,我能够通过 microsoft login 完成身份验证过程并获得一个令牌来完成我的服务器上的身份验证。

我的猜测是,通过apps.dev.microsoft.com 站点添加的一些应用程序在完成身份验证过程时不在Microsoft 的后备存储中,这些应用程序可能在前端查询中并允许身份验证页面找到您的应用程序并提供同意页面,但随后在颁发令牌时,Microsoft 方正在寻找不同的商店,并没有通过 apps.dev.microsoft.com 页面提供的 ApplicationId 找到应用程序。因此,至少在我的情况下,解决方案是在 azure 门户中创建应用程序。

于 2019-02-01T18:56:22.070 回答