首页
学习
活动
专区
圈层
工具
发布
社区首页 >问答首页 >解决无效范围错误标识服务器6

解决无效范围错误标识服务器6
EN

Stack Overflow用户
提问于 2022-11-26 14:53:44
回答 1查看 17关注 0票数 0

我是身份服务器的新手,最近为一个项目设置了身份服务器,但是我一直收到以下错误

对不起,出现了一个错误: invalid_scope无效范围

--这些是构成应用程序的组件.

Web客户端-> ASPNETCORE Razor Pages应用程序(端口: 7091)

Ocelot -> API网关

身份服务器6(端口: 5001)

StripeDotNet -> API

篮式-> API

我的配置/代码如下所示:

身份服务器

代码语言:javascript
复制
  public static class Config
    {
        public static IEnumerable<IdentityResource> IdentityResources =>
            new List<IdentityResource>
            {
                new IdentityResources.OpenId(),
                new IdentityResources.Profile(),
               // new IdentityResources.Email(),
            };
        public static IEnumerable<ApiScope> ApiScopes =>
            new List<ApiScope>
            {
                new ApiScope("stripedotnetapi", "StripeDotNet API")
            };
        public static IEnumerable<Client> Clients =>
            new List<Client>
            {            
                // interactive ASP.NET Core MVC client
                new Client
                {
                    ClientId = "razorweb",
                    ClientName = "Razor Web",
                    ClientSecrets = { new Secret("secret".Sha256()) },

                    AllowedGrantTypes = GrantTypes.Code,
                
                    // where to redirect to after login
                    RedirectUris = { "https://localhost:7091/signin-oidc" },

                    //FrontChannelLogoutUri = "https://localhost:7091/signout-callback-oidc",

                    // where to redirect to after logout
                    PostLogoutRedirectUris = { "https://localhost:7091/signout-callback-oidc" },

                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                       // IdentityServerConstants.StandardScopes.Email,
                        "stripedotnetapi"
                    }
                }
            };
    }

身份服务器:托管扩展

代码语言:javascript
复制
 builder.Services
                .AddIdentityServer(options =>
                {
                    options.Events.RaiseErrorEvents = true;
                    options.Events.RaiseInformationEvents = true;
                    options.Events.RaiseFailureEvents = true;
                    options.Events.RaiseSuccessEvents = true;

                    // see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/
                    options.EmitStaticAudienceClaim = true;
                })
                .AddInMemoryIdentityResources(Config.IdentityResources)
                .AddInMemoryApiScopes(Config.ApiScopes)
                .AddInMemoryClients(Config.Clients)
                .AddAspNetIdentity<ApplicationUser>();

StripeDotNet API

代码语言:javascript
复制
 public static IServiceCollection AddSecurityServices(this IServiceCollection services)
        {
            services.AddAuthentication("Bearer")
                .AddJwtBearer(options =>
                {
                    options.Authority = "https://localhost:5001";
                    options.TokenValidationParameters.ValidateAudience = false;
                });

            services.AddAuthorization(options =>
            {
                options.AddPolicy("ApiScope", policy =>
                {
                    policy.RequireAuthenticatedUser();
                    policy.RequireClaim("scope", "stripedotnetapi");
                });
            });

            return services;
        }

StripeDotNet API:控制器代码

代码语言:javascript
复制
[Route("api/[controller]")]
    [Authorize("ApiScope")]
    public class CheckoutController : BaseController
    {
        private readonly ICheckoutService _checkoutService;

        public CheckoutController(ICheckoutService checkoutService)
        {
            _checkoutService = Guard.Against.Null(checkoutService, nameof(checkoutService));
        }

        [HttpGet]
        public async Task<IActionResult> CreateCheckoutSession([FromBody] CreateCheckoutSessionRequest req)
        {
            var response = await _checkoutService.CreateCheckoutSessionAsync(req.TenantId, req.PriceId,
                req.SuccessUrl, req.CancelUrl);

            return Ok(response);
        }

        [HttpGet("{sessionId}")]
        public async Task<IActionResult> GetCheckoutSession(string sessionId)
        {
            var response = await _checkoutService.GetCheckoutSessionAsync(sessionId);

            return Ok(response);
        }
    }

Ocelot网关

代码语言:javascript
复制
var authenticationProviderKey = "IdentityApiKey";
builder.Services.AddAuthentication()
    .AddJwtBearer(authenticationProviderKey, x =>
    {
        x.Authority = "https://localhost:5001"; // IDENTITY SERVER URL
        x.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false
        };
    });

Ocelot网关:配置文件

代码语言:javascript
复制
{
  "UpStreamPathTemplate": "/api/Checkout",
  "UpstreamHttpMethod": [ "Get" ],
  "DownstreamScheme": "https",
  "DownstreamHostAndPorts": [
    {
      "Host": "localhost",
      "Port": 7056
    }
  ],
  "DownstreamPathTemplate": "/api/Checkout",
  "AuthenticationOptions": {
    "AuthenticationProviderKey": "IdentityApiKey",
    "AllowedScopes": []
  }
},
{
  "UpStreamPathTemplate": "/api/Checkout/{sessionId}",
  "UpstreamHttpMethod": [ "Get" ],
  "DownstreamScheme": "https",
  "DownstreamHostAndPorts": [
    {
      "Host": "localhost",
      "Port": 7056
    }
  ],
  "DownstreamPathTemplate": "/api/Checkout/{sessionId}",
  "AuthenticationOptions": {
    "AuthenticationProviderKey": "IdentityApiKey",
    "AllowedScopes": []
  }
},

Web客户端

代码语言:javascript
复制
public static IServiceCollection AddSecurityServices(this IServiceCollection services)
{
    JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "https://localhost:5001";

        options.ClientId = "razorweb";
        options.ClientSecret = "secret";
        options.ResponseType = "code";

        options.Scope.Clear();
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        //options.Scope.Add("email");
        options.Scope.Add("stripedotnetapi");
        options.Scope.Add("offline_access");

        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
    });

    return services;
}

我的发现端点将这些项显示为有效的作用域。

代码语言:javascript
复制
  "scopes_supported": [
    "openid",
    "profile",
    "stripedotnetapi",
    "offline_access"
  ],

支持的作用域似乎为web客户端正确设置,但我始终得到一个无效的范围错误。如有任何指导,将不胜感激。

EN

回答 1

Stack Overflow用户

发布于 2022-11-28 21:47:43

解决了。我对医生没有给予足够的关注。没有授予客户端脱机访问权限。

代码语言:javascript
复制
AllowOfflineAccess = true,
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/74583177

复制
相关文章

相似问题

领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档