Authentication 在授权选项中使用https的.Net Core和IdentityServer 4失败
在我的Startup.cs ConfigureServices方法中,我有:Authentication 在授权选项中使用https的.Net Core和IdentityServer 4失败,authentication,https,.net-core,identityserver4,Authentication,Https,.net Core,Identityserver4,在我的Startup.cs ConfigureServices方法中,我有: services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(options => { options.Authority = applicat
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = applicationUrl;
options.SupportedTokens = SupportedTokens.Jwt;
options.RequireHttpsMetadata = false; // Note: Set to true in production
options.ApiName = IdentityServerConfig.ApiName;
});
我可以获得访问令牌。。。但是当我试图访问/users/me时,我会得到一个未经授权的401
其中applicationUrl类似于
但如果我改变:
options.Authority = applicationUrl;
致:
它起作用了
我不知道为什么https url是个问题。。。我可以通过https访问我的整个网站。此外,设置RequireHttpsMetadata=true也没有帮助
想法
顺便说一句,我的AddIdentityServer如下所示:
services.AddIdentityServer()
// The AddDeveloperSigningCredential extension creates temporary key material for signing tokens.
// This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios.
// See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information.
// .AddDeveloperSigningCredential()
.AddSigningCredential(certificate)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<ProfileService>();
请注意,授权必须与发行人相同。这允许客户端/资源验证令牌的创建者确实是受信任的机构
您可以在中看到发卡机构的实际值https://ids4.mysite.com/.well-known/openid-configuration.
可以选择在以下位置设置IssuerUri:
设置将出现在发现文档和
发行JWT代币。建议不要设置此属性,因为
从客户端使用的主机名推断颁发者名称
services.AddIdentityServer()
// The AddDeveloperSigningCredential extension creates temporary key material for signing tokens.
// This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios.
// See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information.
// .AddDeveloperSigningCredential()
.AddSigningCredential(certificate)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<ProfileService>();