IdentityServer4从v3升级到v4-范围验证错误_Identityserver4

IdentityServer4从v3升级到v4-范围验证错误

identityserver4

IdentityServer4从v3升级到v4-范围验证错误,identityserver4,Identityserver4,我刚刚将IdentityServer4升级到v4，包括ApiResources、ApiScopes和ApiResourceScopes上的EF模式更新。但在做了必要的更改后，我开始收到错误“Scope customers:read not found in store.”无效的\u范围。。。如下我不确定我在这里错过了什么；知道是什么导致了这个错误吗谢谢 SELECT [a].[Id], [a].[AllowedAccessTokenSigningAlgorithms], [a].[Creat

我刚刚将IdentityServer4升级到v4，包括ApiResources、ApiScopes和ApiResourceScopes上的EF模式更新。但在做了必要的更改后，我开始收到错误“Scope customers:read not found in store.”无效的\u范围。。。如下

我不确定我在这里错过了什么；知道是什么导致了这个错误吗

谢谢

SELECT [a].[Id], [a].[AllowedAccessTokenSigningAlgorithms], [a].[Created], [a].[Description], [a].[DisplayName], [a].[Enabled], [a].[LastAccessed], [a].[Name], [a].[NonEditable], [a].[ShowInDiscoveryDocument], [a].[Updated], [a0].[Id], [a0].[ApiResourceId], [a0].[Created], [a0].[Description], [a0].[Expiration], [a0].[Type], [a0].[Value], [a1].[Id], [a1].[ApiResourceId], [a1].[Scope], [a2].[Id], [a2].[ApiResourceId], [a2].[Type], [a3].[Id], [a3].[ApiResourceId], [a3].[Key], [a3].[Value]
      FROM [ApiResources] AS [a]
      LEFT JOIN [ApiResourceSecrets] AS [a0] ON [a].[Id] = [a0].[ApiResourceId]
      LEFT JOIN [ApiResourceScopes] AS [a1] ON [a].[Id] = [a1].[ApiResourceId]
      LEFT JOIN [ApiResourceClaims] AS [a2] ON [a].[Id] = [a2].[ApiResourceId]
      LEFT JOIN [ApiResourceProperties] AS [a3] ON [a].[Id] = [a3].[ApiResourceId]
      WHERE EXISTS (
          SELECT 1
          FROM [ApiResourceScopes] AS [a4]
          WHERE ([a].[Id] = [a4].[ApiResourceId]) AND [a4].[Scope] IN (N'customers:read'))
      ORDER BY [a].[Id], [a0].[Id], [a1].[Id], [a2].[Id], [a3].[Id]
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
      Found customers API resources in database
info: Microsoft.EntityFrameworkCore.Database.Command[20101]
      Executed DbCommand (56ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
      SELECT [a].[Id], [a].[Description], [a].[DisplayName], [a].[Emphasize], [a].[Enabled], [a].[Name], [a].[Required], [a].[ShowInDiscoveryDocument], [a0].[Id], [a0].[ScopeId], [a0].[Type], [a1].[Id], [a1].[Key], [a1].[ScopeId], [a1].[Value]
      FROM [ApiScopes] AS [a]
      LEFT JOIN [ApiScopeClaims] AS [a0] ON [a].[Id] = [a0].[ScopeId]
      LEFT JOIN [ApiScopeProperties] AS [a1] ON [a].[Id] = [a1].[ScopeId]
      WHERE [a].[Name] IN (N'customers:read')
      ORDER BY [a].[Id], [a0].[Id], [a1].[Id]
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
      Found customers:read scopes in database
fail: IdentityServer4.Validation.DefaultResourceValidator[0]
      Scope customers:read not found in store.
fail: IdentityServer4.Validation.TokenRequestValidator[0]
      Invalid scopes requested, {
        "ClientId": "or_cust",
        "ClientName": "customers mgt api",
        "GrantType": "client_credentials",
        "Raw": {
          "CustomerId": "ZU9h1qCmyU_VCfrUEvOfsg",
          "grant_type": "client_credentials",
          "scope": "customers:read",
          "client_id": "or_cust",
          "client_secret": "***REDACTED***"
        }
      }
info: System.Net.Http.HttpClient.ITokenProvider.ClientHandler[101]
      Received HTTP response after 1725.7136ms - BadRequest
info: System.Net.Http.HttpClient.ITokenProvider.LogicalHandler[101]
      End processing HTTP request after 1725.9137ms - BadRequest
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished in 1697.027ms 400 application/json; charset=UTF-8
fail: Goomtera.Runtime.Auth.TokenProvider[0]
      invalid_scope

在深入研究DefaultResourceValidator代码之后；导致此错误的原因是我添加的ApiScope未启用。验证程序通过对启用的资源应用过滤器来获取ApiResources

public virtual async Task<ResourceValidationResult> ValidateRequestedResourcesAsync(ResourceValidationRequest request)
        {
            if (request == null) throw new ArgumentNullException(nameof(request));

            var parsedScopesResult = _scopeParser.ParseScopeValues(request.Scopes);

            var result = new ResourceValidationResult();
            
            if (!parsedScopesResult.Succeeded)
            {
                foreach (var invalidScope in parsedScopesResult.Errors)
                {
                    _logger.LogError("Invalid parsed scope {scope}, message: {error}", invalidScope.RawValue, invalidScope.Error);
                    result.InvalidScopes.Add(invalidScope.RawValue);
                }

                return result;
            }

            var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
            var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames);

公共虚拟异步任务ValidateRequestedResourcesAsync（ResourceValidationRequest）
{
if（request==null）抛出新的ArgumentNullException（nameof（request））；
var parsedScopesResult=\u scopeParser.ParseScopeValues（request.Scopes）；
var result=新资源验证结果（）；
如果（！parsedScopesResult.successed）
{
foreach（parsedScopesResult.Errors中的var invalidScope）
{
_LogError（“无效的解析范围{scope}，消息：{error}”，invalidScope.RawValue，invalidScope.error）；
结果.InvalidScopes.Add（invalidScope.RawValue）；
}
返回结果；
}
var scopeNames=parsedScopesResult.ParsedScopes.Select（x=>x.ParsedName.Distinct（）.ToArray（）；
var resourcesFromStore=await _store.FindEnabledResourcesByScopeAsync（scopeNames）；

//
///按范围查找已启用的资源。
/// 
///商店。
///作用域名称。
/// 
公共静态异步任务FindEnabledResourcesByScopeAsync（此IResourceStore存储，IEnumerable scopeNames）
{
return（wait store.FindResourcesByScopeAsync（scopeNames））.FilterEnabled（）；
}

/// <summary>
        /// Finds the enabled resources by scope.
        /// </summary>
        /// <param name="store">The store.</param>
        /// <param name="scopeNames">The scope names.</param>
        /// <returns></returns>
        public static async Task<Resources> FindEnabledResourcesByScopeAsync(this  IResourceStore store, IEnumerable<string> scopeNames)
        {
            return (await store.FindResourcesByScopeAsync(scopeNames)).FilterEnabled();
        }