用Aurelia从IdentityServer获取JWT的配置

Question

我很难从IdentityServer3获得一个JWT。我用奥雷利亚和奥雷利亚-奥斯。

我从IdentityServer得到的错误是“客户端应用程序不知道或没有授权”。

想知道我在配置中缺少了什么？配置如下

//Server Clients
public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new List<Client> {
            new Client {
                ClientName = "AureliaApplication",
                Enabled = true,
                ClientId = "aureliaClient",
                AllowAccessToAllScopes = true,
                Flow = Flows.ResourceOwner,
                AccessTokenType = AccessTokenType.Jwt,
                AccessTokenLifetime = 3600
            }
        };
    }
}

//Aurelia-Auth Provider Config
var config = {
    providers: {
        IdentityServerV3: {
            name:'IdentityServerV3',
            url: '/auth/IdentityServerV3',
            authorizationEndpoint: 'https://localhost:44300/core/connect/authorize',
            redirectUri: window.location.origin || window.location.protocol + '//' + window.location.host,
            scope: ['openid'],
            scopePrefix: 'openid',
            scopeDelimiter: '&',
            display: 'popup',
            type: '2.0',
            clientId: 'aureliaClient',
            popupOptions: { width: 1020, height: 618 }
        }
    }
}

export default config;

Answer 1

您需要在IdentityServer中配置客户机的作用域。

new Client
{
    ClientId = "Aurelia Client",
    ClientName = "aureliaClient",
    ClientSecrets = new List<Secret> {
        new Secret(Constants.IdentitySecret.Sha256())
    },
    Flow = Flows.Hybrid,
    RequireConsent = true,
    AllowRememberConsent = true,
    RedirectUris = new List<string> {
        "http://localhost:9000"
    },
    PostLogoutRedirectUris = new List<string> {
        "http://localhost:9000"
    },
    AllowedScopes = new List<string> {
        Constants.StandardScopes.OpenId,
        Constants.StandardScopes.Profile,
        Constants.StandardScopes.Roles,
        "apiAccess"
    }
}

Aurelia配置必须将url更正为不同的IdentityServer端点。这些端点通常可以在服务器的openid配置中找到(在本例中是：https://localhost:44301/core/.well-known/openid-configuration)。与在IdentityServer中的客户端配置中定义的作用域相同

var config = {
    baseUrl : 'https://localhost:44301/core',
    tokenName : 'id_token',
    profileUrl: '/connect/userinfo',
    unlinkUrl : '/connect/endsession',
    logoutRedirect: '/',
    loginRedirect : '#/',

    providers : {
        identSrv : {
            name: 'identSrv',
            url: '/connect/token',
            authorizationEndpoint: 'https://localhost:44301/core/connect/authorize/',
            redirectUri: window.location.origin || window.location.protocol + '//' + window.location.host,
            scope: ['profile', 'apiAccess','openid', 'roles'],
            responseType :'code id_token token',
            scopePrefix: '',
            scopeDelimiter: ' ',
            requiredUrlParams: ['scope', 'nonce'],
            optionalUrlParams: ['display'],
            state: 'session_state',
            display: 'popup',
            type: '2.0',
            clientId: 'jsClient',
            flow: 'hybrid',
            nonce : function(){
            var val = ((Date.now() + Math.random()) * Math.random()).toString().replace(".", "");
                return encodeURIComponent(val);
            },
            popupOptions: { width: 452, height: 633 }
    }
}

Scott实际上找到了解决方案(我只是用它来回答)，您可以在他的github https://github.com/devscott/identityServer3Example上找到一个例子