IdentityServer4从v3升级到v4-范围验证错误
我刚刚将IdentityServer4升级到v4,包括ApiResources、ApiScopes和ApiResourceScopes上的EF模式更新。但在做了必要的更改后,我开始收到错误“Scope customers:read not found in store.”无效的\u范围。。。如下 我不确定我在这里错过了什么;知道是什么导致了这个错误吗 谢谢IdentityServer4从v3升级到v4-范围验证错误,identityserver4,Identityserver4,我刚刚将IdentityServer4升级到v4,包括ApiResources、ApiScopes和ApiResourceScopes上的EF模式更新。但在做了必要的更改后,我开始收到错误“Scope customers:read not found in store.”无效的\u范围。。。如下 我不确定我在这里错过了什么;知道是什么导致了这个错误吗 谢谢 SELECT [a].[Id], [a].[AllowedAccessTokenSigningAlgorithms], [a].[Creat
SELECT [a].[Id], [a].[AllowedAccessTokenSigningAlgorithms], [a].[Created], [a].[Description], [a].[DisplayName], [a].[Enabled], [a].[LastAccessed], [a].[Name], [a].[NonEditable], [a].[ShowInDiscoveryDocument], [a].[Updated], [a0].[Id], [a0].[ApiResourceId], [a0].[Created], [a0].[Description], [a0].[Expiration], [a0].[Type], [a0].[Value], [a1].[Id], [a1].[ApiResourceId], [a1].[Scope], [a2].[Id], [a2].[ApiResourceId], [a2].[Type], [a3].[Id], [a3].[ApiResourceId], [a3].[Key], [a3].[Value]
FROM [ApiResources] AS [a]
LEFT JOIN [ApiResourceSecrets] AS [a0] ON [a].[Id] = [a0].[ApiResourceId]
LEFT JOIN [ApiResourceScopes] AS [a1] ON [a].[Id] = [a1].[ApiResourceId]
LEFT JOIN [ApiResourceClaims] AS [a2] ON [a].[Id] = [a2].[ApiResourceId]
LEFT JOIN [ApiResourceProperties] AS [a3] ON [a].[Id] = [a3].[ApiResourceId]
WHERE EXISTS (
SELECT 1
FROM [ApiResourceScopes] AS [a4]
WHERE ([a].[Id] = [a4].[ApiResourceId]) AND [a4].[Scope] IN (N'customers:read'))
ORDER BY [a].[Id], [a0].[Id], [a1].[Id], [a2].[Id], [a3].[Id]
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found customers API resources in database
info: Microsoft.EntityFrameworkCore.Database.Command[20101]
Executed DbCommand (56ms) [Parameters=[], CommandType='Text', CommandTimeout='30']
SELECT [a].[Id], [a].[Description], [a].[DisplayName], [a].[Emphasize], [a].[Enabled], [a].[Name], [a].[Required], [a].[ShowInDiscoveryDocument], [a0].[Id], [a0].[ScopeId], [a0].[Type], [a1].[Id], [a1].[Key], [a1].[ScopeId], [a1].[Value]
FROM [ApiScopes] AS [a]
LEFT JOIN [ApiScopeClaims] AS [a0] ON [a].[Id] = [a0].[ScopeId]
LEFT JOIN [ApiScopeProperties] AS [a1] ON [a].[Id] = [a1].[ScopeId]
WHERE [a].[Name] IN (N'customers:read')
ORDER BY [a].[Id], [a0].[Id], [a1].[Id]
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found customers:read scopes in database
fail: IdentityServer4.Validation.DefaultResourceValidator[0]
Scope customers:read not found in store.
fail: IdentityServer4.Validation.TokenRequestValidator[0]
Invalid scopes requested, {
"ClientId": "or_cust",
"ClientName": "customers mgt api",
"GrantType": "client_credentials",
"Raw": {
"CustomerId": "ZU9h1qCmyU_VCfrUEvOfsg",
"grant_type": "client_credentials",
"scope": "customers:read",
"client_id": "or_cust",
"client_secret": "***REDACTED***"
}
}
info: System.Net.Http.HttpClient.ITokenProvider.ClientHandler[101]
Received HTTP response after 1725.7136ms - BadRequest
info: System.Net.Http.HttpClient.ITokenProvider.LogicalHandler[101]
End processing HTTP request after 1725.9137ms - BadRequest
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 1697.027ms 400 application/json; charset=UTF-8
fail: Goomtera.Runtime.Auth.TokenProvider[0]
invalid_scope
在深入研究DefaultResourceValidator代码之后;导致此错误的原因是我添加的ApiScope未启用。验证程序通过对启用的资源应用过滤器来获取ApiResources
public virtual async Task<ResourceValidationResult> ValidateRequestedResourcesAsync(ResourceValidationRequest request)
{
if (request == null) throw new ArgumentNullException(nameof(request));
var parsedScopesResult = _scopeParser.ParseScopeValues(request.Scopes);
var result = new ResourceValidationResult();
if (!parsedScopesResult.Succeeded)
{
foreach (var invalidScope in parsedScopesResult.Errors)
{
_logger.LogError("Invalid parsed scope {scope}, message: {error}", invalidScope.RawValue, invalidScope.Error);
result.InvalidScopes.Add(invalidScope.RawValue);
}
return result;
}
var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames);
公共虚拟异步任务ValidateRequestedResourcesAsync(ResourceValidationRequest)
{
if(request==null)抛出新的ArgumentNullException(nameof(request));
var parsedScopesResult=\u scopeParser.ParseScopeValues(request.Scopes);
var result=新资源验证结果();
如果(!parsedScopesResult.successed)
{
foreach(parsedScopesResult.Errors中的var invalidScope)
{
_LogError(“无效的解析范围{scope},消息:{error}”,invalidScope.RawValue,invalidScope.error);
结果.InvalidScopes.Add(invalidScope.RawValue);
}
返回结果;
}
var scopeNames=parsedScopesResult.ParsedScopes.Select(x=>x.ParsedName.Distinct().ToArray();
var resourcesFromStore=await _store.FindEnabledResourcesByScopeAsync(scopeNames);
//
///按范围查找已启用的资源。
///
///商店。
///作用域名称。
///
公共静态异步任务FindEnabledResourcesByScopeAsync(此IResourceStore存储,IEnumerable scopeNames)
{
return(wait store.FindResourcesByScopeAsync(scopeNames)).FilterEnabled();
}
/// <summary>
/// Finds the enabled resources by scope.
/// </summary>
/// <param name="store">The store.</param>
/// <param name="scopeNames">The scope names.</param>
/// <returns></returns>
public static async Task<Resources> FindEnabledResourcesByScopeAsync(this IResourceStore store, IEnumerable<string> scopeNames)
{
return (await store.FindResourcesByScopeAsync(scopeNames)).FilterEnabled();
}