0

我使用以下方法使用 Blazor 实现了 Open ID Connect:

启动.cs

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        this.Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddRazorPages();
        services.AddServerSideBlazor();
        services.AddSignalR(e =>
        {
            e.MaximumReceiveMessageSize = 102400000;
        });
        services.AddBlazoredModal();
        services.AddHttpClient();
        services.AddScoped<AccessTokenStorage>();
        services.AddAuthentication(opt =>
        {
            opt.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            opt.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            opt.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        }).AddCookie().AddOpenIdConnect("oidc", options =>
        {
            options.Authority = Credentials.Authority;
            options.ClientId = Credentials.ClientId;
            options.ClientSecret = Credentials.ClientSecret;
            options.ResponseType = "code";
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;
            options.UseTokenLifetime = false;
            options.Scope.Add("openid");
            options.Scope.Add("profile");
            options.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" };

            options.Events = new OpenIdConnectEvents
            {
                OnAccessDenied = context =>
                {
                    context.HandleResponse();
                    context.Response.Redirect("/");
                    return Task.CompletedTask;
                },
            };
        });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Error");

            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseAuthentication();
        app.UseRouting();
        app.UseEndpoints(endpoints =>
        {
            endpoints.MapBlazorHub();
            endpoints.MapFallbackToPage("/_Host");
        });
    }
}

另一个重要部分:

登录.cshtml.cs

public class LoginModel : PageModel
{
    public async Task OnGet(string redirectUri)
    {
        await HttpContext.ChallengeAsync("oidc", new AuthenticationProperties { 
        RedirectUri = redirectUri });
    }
}

demo.identityserver.io 似乎可以正常工作。

但是,将其更改为我的公司身份提供者时,有时我会检索到以下错误:

FBTOAU228E 请求包括多个客户机凭证。OAuth 2.0 协议请求只能有一个客户端凭据。例如,请求不能在 BA 标头和请求正文中都包含客户端凭据。

这是 Blazor 方面的问题还是身份提供者的问题?

它看似随机发生,但在浏览器中删除 aspnetcore cookie 时总是发生。这样做应该只会让您返回登录屏幕,但会引发此错误。(在 demo.identiserver.io 中不会发生...)

4

1 回答 1

0

解决了。似乎这是有问题的行:

options.GetClaimsFromUserInfoEndpoint = true;

我将其删除/将其设置为 false 并且它的工作方式应该如此。我不得不让索赔有点不同。

于 2021-11-11T12:47:22.943 回答