Aurelia 混合流:无效的\u客户端
我尝试使用混合流的IdentityServer3(自托管)登录,但当浏览器尝试连接到时,我收到一个400错误请求,响应消息为{“error”:“invalid_client”}。请求头包含从IdentityServer返回的cookie,请求有效负载包括访问令牌、重拨令牌、会话状态和令牌类型。服务器日志如下所示:Aurelia 混合流:无效的\u客户端,aurelia,identityserver3,Aurelia,Identityserver3,我尝试使用混合流的IdentityServer3(自托管)登录,但当浏览器尝试连接到时,我收到一个400错误请求,响应消息为{“error”:“invalid_client”}。请求头包含从IdentityServer返回的cookie,请求有效负载包括访问令牌、重拨令牌、会话状态和令牌类型。服务器日志如下所示: [14:23:20 INF] Creating Hybrid Flow response. [14:23:20 INF] Creating Implicit Flow response
[14:23:20 INF] Creating Hybrid Flow response.
[14:23:20 INF] Creating Implicit Flow response.
[14:23:20 DBG] Creating access token
[14:23:20 DBG] Creating JWT access token
[14:23:20 DBG] Creating identity token
[14:23:20 INF] Getting claims for identity token for subject: Petter
[14:23:20 DBG] Creating JWT identity token
[14:23:20 DBG] Adding client nettweb to client list cookie for subject Petter
[14:23:20 INF] Redirecting to: http://localhost:9000
[14:23:20 INF] CORS request made for path: /connect/token from origin: http://localhost:9000
[14:23:20 INF] Client list checked and origin: http://localhost:9000 is allowed
[14:23:20 INF] CorsPolicyService allowed origin
[14:23:20 INF] Start token request
[14:23:20 DBG] Start client validation
[14:23:20 DBG] Start parsing Basic Authentication secret
[14:23:20 DBG] Start parsing for secret in post body
[14:23:20 DBG] No secret in post body found
[14:23:20 DBG] Start parsing for X.509 certificate
[14:23:20 DBG] client_id is not found in post body
[14:23:20 INF] Parser found no secret
[14:23:20 INF] No client secret found
[14:23:20 INF] End token request
[14:23:20 INF] Returning error: invalid_client
在jwt.io解析访问令牌会发现客户机id确实是有效负载的一部分,所以我有点不明白IdSrvr为什么会抱怨
客户端设置为:
var config = {
endpoint: 'auth',
configureEndpoints: ['auth'],
baseUrl: 'connect/token',
token_name: 'id_token',
profileUrl: '/connect/userinfo',
unlinkUrl: '/connect/endsession',
logoutRedirect: '/',
loginRedirect: '#/',
providers: {
identityServer: {
name: 'Test IdP',
authorizationEndpoint: 'http://localhost:44333/core/connect/authorize',
logoutEndpoint: 'http://localhost:44333/core/connect/logout',
redirectUri: window.location.origin || window.location.protocol + '//' + window.location.host,
scope: ['openid', 'profile', 'roles', 'resourceaccess'],
responseType: 'code id_token token',
scopePrefix: '',
scopeDelimiter: ' ',
requiredUrlParams: ['scope', 'nonce', 'resource'],
optionalUrlParams: ['display'],
state: 'session_state',
oauthType: '2.0',
clientId: 'testclient',
clientSecret: 'gsQSM334plJvWpiqKXJvhWcTXsL4Dp7dWIUzcFhappM=',
flow: 'hybrid',
nonce: function() {
var val = ((Date.now() + Math.random()) * Math.random()).toString().replace(".", "");
return encodeURIComponent(val);
},
popupOptions: {width: 452, height: 633},
}
}
}
export default config;
其中“auth”指的是http://localhost:44333/core/
(使用的客户端js库:aurelia身份验证)
TIA您应该检查令牌请求并查看发送的内容。浏览器连接到/token端点听起来像是一种反模式,这是客户端库的问题。令牌端点应该在后端使用,而不是从浏览器中使用,而且必须将客户端机密推送到浏览器中显然是个坏主意。Re:“浏览器连接到/Token端点听起来像是一种反模式,这是客户端库的问题”。是的,我对此无能为力。但是,我切换到使用隐式流,一切正常。您应该检查令牌请求并查看发送的内容。浏览器连接到/token端点听起来像是一种反模式,这是客户端库的问题。令牌端点应该在后端使用,而不是从浏览器中使用,而且必须将客户端机密推送到浏览器中显然是个坏主意。Re:“浏览器连接到/Token端点听起来像是一种反模式,这是客户端库的问题”。是的,我对此无能为力。然而,我改用隐式流,一切都如期进行。