Fatal编程技术网
  • authentication/
  • Authentication 在授权选项中使用https的.Net Core和IdentityServer 4失败

Authentication 在授权选项中使用https的.Net Core和IdentityServer 4失败

authentication https .net-core identityserver4

Authentication 在授权选项中使用https的.Net Core和IdentityServer 4失败,authentication,https,.net-core,identityserver4,Authentication,Https,.net Core,Identityserver4,在我的Startup.cs ConfigureServices方法中,我有: services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(options => { options.Authority = applicat

在我的Startup.cs ConfigureServices方法中,我有:

        services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = applicationUrl;
                options.SupportedTokens = SupportedTokens.Jwt;
                options.RequireHttpsMetadata = false; // Note: Set to true in production
                options.ApiName = IdentityServerConfig.ApiName;
            });
我可以获得访问令牌。。。但是当我试图访问/users/me时,我会得到一个未经授权的401

其中applicationUrl类似于

但如果我改变:

                options.Authority = applicationUrl;
致:

它起作用了

我不知道为什么https url是个问题。。。我可以通过https访问我的整个网站。此外,设置RequireHttpsMetadata=true也没有帮助

想法

顺便说一句,我的AddIdentityServer如下所示:

        services.AddIdentityServer()
          // The AddDeveloperSigningCredential extension creates temporary key material for signing tokens.
          // This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios.
          // See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information.
          // .AddDeveloperSigningCredential()
          .AddSigningCredential(certificate)
          .AddConfigurationStore(options =>
          {
              options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
          })
          .AddOperationalStore(options =>
          {
              options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));

              // this enables automatic token cleanup. this is optional. 
              options.EnableTokenCleanup = true;
              options.TokenCleanupInterval = 30;
          })
          .AddAspNetIdentity<ApplicationUser>()
          .AddProfileService<ProfileService>();
请注意,授权必须与发行人相同。这允许客户端/资源验证令牌的创建者确实是受信任的机构

您可以在中看到发卡机构的实际值https://ids4.mysite.com/.well-known/openid-configuration.

可以选择在以下位置设置IssuerUri:

设置将出现在发现文档和 发行JWT代币。建议不要设置此属性,因为 从客户端使用的主机名推断颁发者名称

        services.AddIdentityServer()
          // The AddDeveloperSigningCredential extension creates temporary key material for signing tokens.
          // This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios.
          // See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information.
          // .AddDeveloperSigningCredential()
          .AddSigningCredential(certificate)
          .AddConfigurationStore(options =>
          {
              options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
          })
          .AddOperationalStore(options =>
          {
              options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));

              // this enables automatic token cleanup. this is optional. 
              options.EnableTokenCleanup = true;
              options.TokenCleanupInterval = 30;
          })
          .AddAspNetIdentity<ApplicationUser>()
          .AddProfileService<ProfileService>();