Asp.net 获取DiscoveryClient失败,原因是;发卡机构名称与授权机构不匹配”;
当使用IdentityModel的Asp.net 获取DiscoveryClient失败,原因是;发卡机构名称与授权机构不匹配”;,asp.net,asp.net-core,identityserver4,Asp.net,Asp.net Core,Identityserver4,当使用IdentityModel的DiscoveryClient执行get时,我得到以下错误,如下所示: var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer"); 颁发者名称与授权不匹配: 目标URL是在启用了IdentityServer4的IIS上运行的ASP.NET核心web应用程序。客户端应用程序是在同一台计算机上运行的经典ASP.NET web应用程序 很显然,
DiscoveryClient执行get时,我得到以下错误,如下所示:
var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");
颁发者名称与授权不匹配:
目标URL是在启用了IdentityServer4的IIS上运行的ASP.NET核心web应用程序。客户端应用程序是在同一台计算机上运行的经典ASP.NET web应用程序
很显然,GET确实成功地从IdentityServer检索到了值,这可以从discoveryResponse.Raw
的内容中得到证明:
{
"issuer": "https://localhost/identityserver",
"jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
"token_endpoint": "https://localhost/IdentityServer/connect/token",
"userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
"end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
"check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
"revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
"introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
"claims_supported": [],
"grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
"response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
"response_modes_supported": [ "form_post", "query", "fragment" ],
"token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
"subject_types_supported": [ "public" ],
"id_token_signing_alg_values_supported": [ "RS256" ],
"code_challenge_methods_supported": [ "plain", "S256" ]
}
授权:
发行人:
它们不匹配-区分大小写。如果无法更改服务器代码以适应策略,可以更改策略设置以允许名称不匹配
例如,我试图在Azure Rest API上使用DiscoveryClient
,而issuer
是https://sts.windows.net/{{tenant_id}
而端点都以https://login.microsoft.com/{{tenant_id}}
只需将字段validateisuername
和ValidateEndpoints
设置为false
var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);
// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;
var discoResponse = await discoveryClient.GetAsync();
后期编辑
自从发布此消息后,DiscoveryClient
类已被弃用
以下是新的调用语法:
var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
new DiscoveryDocumentRequest
{
Address = authority,
Policy =
{
ValidateIssuerName = false,
ValidateEndpoints = false,
},
}
);
其他答案针对客户机-使其接受小写的发行人
这改变了发现文件中发行人的情况:
默认情况下,Identity Server似乎将颁发者Uri更改为小写。这导致发现文档对于发行人具有小写字母;以及您键入的代码/发布的案例
我在我的Identity Server应用程序Startup、ConfigureServices方法中修复了此问题
var builder = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })
使用这意味着发现文档中的颁发者的情况与所有其他URI的情况相同。我在跟踪颁发者
字段的来源时遇到问题。这是从宿主应用程序的上下文派生的吗?例如,如果我在名为“IdentityProvider”的应用程序中的IIS中托管IdenityServer端点,则颁发者将是https://localhost/identityprovider
(小写)?IIRC-发卡机构名称始终都是小写的(以避免这些问题)。使用小写肯定解决了问题。谢谢@SigurdGarshol你能分享一下你是如何让你的https
端点使用IS4的吗?我无法让requestclientcredentialasync
使用https
@Ruskin:如果不知道您遇到了什么样的错误,很难回答。如果问题是“您是如何启用https的”,那么我们就是这么做的:我们告诉WebHostBuilder将Kestrel与https一起使用,并提供从文件读取的自签名证书。这仅适用于将IS4端点作为控制台主机运行时-在“适当”IIS下运行时,我们将https和证书提交给web服务器。这很有效。谢谢