openiddict - 响应类型无效

Question

我正在使用 openidict 和 oidc-client 身份验证，

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => 
    {
        options.LoginPath = "/Identity/Account/Login";
        options.LogoutPath = "/Identity/Account/Logout";
        
    })
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.ForwardSignIn = CookieAuthenticationDefaults.AuthenticationScheme;

        options.Authority = baseUrl;
        options.CallbackPath = new PathString("/authentication/login-callback");
        options.SignedOutRedirectUri = baseUrl;

        options.ClientId = AuthenticationClient.WebClientId;

        options.RequireHttpsMetadata = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.SaveTokens = true;
        options.UsePkce = true;

        /// Use the authorization code flow.
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
        options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;

        options.Scope.Add(Scopes.OpenId);
        options.Scope.Add(Scopes.Profile);
        options.Scope.Add(AuthenticationClient.WebClientApiScope);
}

在这里，当响应类型设置为“代码 id/代码 id_token/代码令牌”时，我得到 Open ID connect hybrid flow is not supported 错误。

当它是 "code" 时，我收到以下错误。

error:unauthorized_client
error_description:The specified 'response_type' is not valid for this client application.
error_uri:https://documentation.openiddict.com/errors/ID2043

有人可以帮我吗？

Answer 1

当我尝试配置 OpenIddic 服务器并通过 OIDC 协议对其进行授权时，我遇到了同样的问题。

我正在配置postman允许 AuthorizationCode GrandType 的公共客户端，但我忘记添加明确允许的 ResponseType 代码：

  var descriptor = new OpenIddictApplicationDescriptor
  {
    ClientId = "postman",
    DisplayName = "Postman",
    RedirectUris = { new Uri("https://www.getpostman.com/oath2/callback") },
    Permissions = 
    {
        OpenIddictConstants.Permissions.Endpoints.Authorization,
        OpenIddictConstants.Permissions.Endpoints.Device,
        OpenIddictConstants.Permissions.Endpoints.Token,
        OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
        OpenIddictConstants.Permissions.GrantTypes.DeviceCode,
        OpenIddictConstants.Permissions.GrantTypes.Password,
        OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
        OpenIddictConstants.Permissions.Scopes.Email,
        OpenIddictConstants.Permissions.Scopes.Profile,
        OpenIddictConstants.Permissions.Scopes.Roles,

        OpenIddictConstants.Permissions.ResponseTypes.Code <-- this was my issue
    }
  };

这就是 OpenIddic 将其存储在数据库中的方式

[
"ept:authorization",
"ept:device",
"ept:token",
"gt:authorization_code",
"gt:urn:ietf:params:oauth:grant-type:device_code",
"gt:password",
"gt:refresh_token",
"scp:email",
"scp:profile",
"scp:roles",
"rst:code"
]

由于 OpenIddict 是一个用于创建授权的库，我们需要明确设置所有内容。