我们已经设置了一个在自己域的节点上运行的 vueJs spa。
我们已经在另一个域上设置了一个 asp.net 核心 IdentityServer4 应用程序。
我们正在尝试使用授权码 PKCE 流。
我们看过几篇文章,但大多数都有不同的配置,在同一域上使用隐式流或 MVC 客户端。
这是客户端的配置:
import Oidc from 'oidc-client';
var mgr = new Oidc.UserManager({
authority: "https://localhost:44363",
client_id: 'Code Autho',
redirect_uri: 'http://localhost:8080',
response_type:'code',
scope: 'openid profile email api1',
})
export default mgr;
这是 IdentityServer 配置中设计的客户端:
new Client
{
ClientId = "Code Autho",
ClientName = "Code With PKCE",
RedirectUris = {
Uri.EscapeUriString("http://localhost:8080")
},
PostLogoutRedirectUris = {"http://localhost:8080"},
RequireClientSecret = false,
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1"
},
AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
}
日志:
2019-06-21 11:41:54.396 +02:00 [INF] Starting IdentityServer4 version 2.4.0.0
2019-06-21 11:41:54.407 +02:00 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2019-06-21 11:41:54.412 +02:00 [INF] Using the default authentication scheme Identity.Application for IdentityServer
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for authentication
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-in
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-out
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for challenge
2019-06-21 11:41:54.413 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for forbid
2019-06-21 11:41:54.757 +02:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:8080
2019-06-21 11:41:54.760 +02:00 [DBG] Client list checked and origin: http://localhost:8080 is allowed
2019-06-21 11:41:54.760 +02:00 [DBG] CorsPolicyService allowed origin: http://localhost:8080
2019-06-21 11:41:54.776 +02:00 [DBG] Login Url: /Account/Login
2019-06-21 11:41:54.776 +02:00 [DBG] Login Return Url Parameter: ReturnUrl
2019-06-21 11:41:54.777 +02:00 [DBG] Logout Url: /Account/Logout
2019-06-21 11:41:54.777 +02:00 [DBG] ConsentUrl Url: /consent
2019-06-21 11:41:54.777 +02:00 [DBG] Consent Return Url Parameter: returnUrl
2019-06-21 11:41:54.777 +02:00 [DBG] Error Url: /home/error
2019-06-21 11:41:54.777 +02:00 [DBG] Error Id Parameter: errorId
2019-06-21 11:41:54.799 +02:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2019-06-21 11:41:54.805 +02:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2019-06-21 11:41:54.805 +02:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2019-06-21 11:41:54.807 +02:00 [DBG] Start discovery request
2019-06-21 11:41:54.975 +02:00 [DBG] Request path /connect/authorize matched to endpoint type Authorize
2019-06-21 11:41:54.988 +02:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
2019-06-21 11:41:54.989 +02:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
2019-06-21 11:41:54.997 +02:00 [DBG] Start authorize request
2019-06-21 11:41:55.010 +02:00 [DBG] No user present in authorize request
2019-06-21 11:41:55.013 +02:00 [DBG] Start authorize request protocol validation
2019-06-21 11:41:55.033 +02:00 [DBG] client configuration validation for client Code Autho succeeded.
2019-06-21 11:41:55.044 +02:00 [DBG] Checking for PKCE parameters
2019-06-21 11:41:55.078 +02:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-06-21 11:41:55.094 +02:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"Code Autho","ClientName":"code autho Klanik Code With PKCE","RedirectUri":"http://localhost:8080","AllowedRedirectUris":["http://localhost:8080"],"SubjectId":"anonymous","ResponseType":"code","ResponseMode":"query","GrantType":"authorization_code","RequestedScopes":"openid profile email api1","State":"a53f2786c13d460fa5271652c9871234","UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"Code Autho","redirect_uri":"http://localhost:8080","response_type":"code","scope":"openid profile email api1","state":"a53f2786c13d460fa5271652c9871234","code_challenge":"ih1wDabwyipUIsHxQcdi6tCyhOy9pzYyLyWn3A6R_Kw","code_challenge_method":"S256"},"$type":"AuthorizeRequestValidationLog"}
2019-06-21 11:41:55.103 +02:00 [INF] Showing login: User is not authenticated
预期:我们被重定向到http://localhost:8080并且用户已通过身份验证。(我们在 localhost:8080 上确实有一个登录组件,需要用户名/密码)。