Javascript OIDC客户端在手动JWKSigningKeys上保持刷新

由于CORS问题，我必须手动配置oidc设置以获取签名密钥

这是我的背景

getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
    return {
      authority: configuration.authority + '/',
      client_id: configuration.clientId,
      redirect_uri: configuration.redirectUri,
      post_logout_redirect_uri: configuration.redirectUri,
      response_type: configuration.responseType, // "id_token token",
      scope: "openid profile email " + configuration.apiResourceId,
      filterProtocolClaims: true,
      loadUserInfo: false,
      automaticSilentRenew: true,
      monitorSession: true,
      silent_redirect_uri: configuration.silentRedirectUri,
      accessTokenExpiringNotificationTime: 20, //default 60
      checkSessionInterval: 5000, //default 2000
      silentRequestTimeout: 20000, //default: 10000 
      // When CORS is disabled, token signing keys cannot be retrieved
      //  Manual the metadata and singinKeys for okta auth
      metadata: {
        jwks_uri: configuration.jwksUri,
        authorization_endpoint: `${configuration.authority}/v1/authorize`,
        issuer: configuration.authority
      },
    };
  }

应用程序设置配置值

"openId": {
    "authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxxxxxxxxxxxxx",
    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "apiResourceId": "xxxxxxxxxxxxxxxxxxxxxx",
    "redirectUri": "https://localhost:44307/auth-callback",
    "silentRedirectUri": "https://localhost:44307/assets/silent-renew.html",
    "responseType": "id_token token",
    "jwksUri" : "https://localhost:44307/api/v1/system/jwksSigningKeys"
  }

因为jwksUri指向api服务器url，所以我能够从api获取值。如果我直接将一个json文件放在前端，UI会工作得很好，但如果我指向服务器api，它会再次刷新并获得

我从OIDC客户那里得到的答复如下：

https://localhost:44307/auth-callback#id_token=eyJraWQiOiJ1bzk0ZTlGTlQwdVIyR3N2U19EZ2N1a3hLQ245STB0bGo0Q282ZENXRUVRIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxaG85Y2E5b1RpYlA0WjM1NyIsIm5hbWUiOiJBbmFuZGEgamFpc3kiLCJlbWFpbCI6ImFuYW5kYS5qYWlzeUBwbGF5dGltZXNvbHV0aW9ucy5jb20uYXUiLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTE2NjU0NS5va3RhLmNvbS9vYXV0aDIvYXVzMWlnZDd5ZXdvQXM0eGEzNTciLCJhdWQiOiIwb2EyOW1hc2YyaVVtUlZ0dDM1NyIsImlhdCI6MTU3NzkzMzE2OCwiZXhwIjoxNTc3OTM2NzY4LCJqdGkiOiJJRC4zSDNlcldwQkZhbmVNZk52a2o5eml4V0V1c29ZYXp1SjZkMW4zcFF2S3VZIiwiYW1yIjpbInB3ZCJdLCJpZHAiOiIwMG8xaG83NWZqYnRnaGszbzM1NyIsIm5vbmNlIjoiMTAwNWI0NWIyZmI0NGFhMzhiMWMzNTIzMmIyY2YyMmMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmFuZGEuamFpc3lAcGxheXRpbWVzb2x1dGlvbnMuY29tLmF1IiwiYXV0aF90aW1lIjoxNTc3OTMzMTY0LCJhdF9oYXNoIjoiVEFkNWJYbDNMcDFxamNLNFo3aWVKQSJ9.lxAqN6993Qy15YrvVZJp3d5xk7QtsTYQCQw9shQ67r0_rnv3csC39IXv0_RBH4pviPP3aXNcp_o2W2Oz4QXMB3SvLKtwoLv4yBbuJ7QE751NkBlqHh4Ur8xXnhH-9_59tGrHvDupVTg3W6F27pAN1O9AY2qRTQCkfhutMEyLTL_KYHkk_hQ18zrOdIeTPk33iECct8YQeyDmkqlcoN-fxYyWIloTbX6cXu3wrK7KGEtnqPb6Lg0HvvHXPgmIvxdv3SE6OtjuoFVV-tSk-EEXczYf72ijjG_kh7TlINAIi3kJ4QhDtbHZ2j061TDlM3Q3rt1vaP1m2g-Uqd8H3FI6CA&access_token=eyJraWQiOiJ1bzk0ZTlGTlQwdVIyR3N2U19EZ2N1a3hLQ245STB0bGo0Q282ZENXRUVRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkpyTktuNU5pS0tFTWZNX1RpejR6cGNWRGhKVTF6aDlBekp6NFdmMWphajAiLCJpc3MiOiJodHRwczovL2Rldi0xNjY1NDUub2t0YS5jb20vb2F1dGgyL2F1czFpZ2Q3eWV3b0FzNHhhMzU3IiwiYXVkIjoibW9uYXNoU3dhZ2dlcklkZW50aXR5IiwiaWF0IjoxNTc3OTMzMTY4LCJleHAiOjE1Nzc5MzM0NjgsImNpZCI6IjBvYTI5bWFzZjJpVW1SVnR0MzU3IiwidWlkIjoiMDB1MWhvOWNhOW9UaWJQNFozNTciLCJzY3AiOlsicHJvZmlsZSIsIm9wZW5pZCIsImVtYWlsIiwibW9uYXNoLWlkZW50aXR5LWFwaSJdLCJzdWIiOiJhbmFuZGEuamFpc3lAcGxheXRpbWVzb2x1dGlvbnMuY29tLmF1IiwibW9uYXNoT2JqZWN0SUQiOiI4YzVkNDkzNC00Yzc1LTQ5ZTgtOTVkOS1hZTc0YjFhYmRlMzMiLCJva3RhSWQiOiI4YzVkNDkzNC00Yzc1LTQ5ZTgtOTVkOS1hZTc0YjFhYmRlMzMiLCJhdXRoZW50aWNhdGlvbi1tZXRob2QiOiJwYXNzd29yZCtjb2RlIn0.IFCF2UyzrPW8S1S7MQOXtsAxiXdI5tKmdcrg0JVDpEzVNd9bUKRgZ8IqrsTT8pWq9s3PDtt5XK_K8d6PcRroTO-b3Zzcw82NjZ6qwGMyG13CaEVzKwJCZ5M6_AukK7rF8bou9cPFb2T98gagzc7eHkNleyanb2utGHmuFrTxMerW_41RqD8UTS6qsZ3eBZBuAgtDNSM2kZsRor6_DqNsK7m1yP03s1uM0hhPmPHBbM338AJVAl_6kncwHyoHUCXjgUDlfoMMDcHy5I4xXgqUOO6_QYgg6n5MkeCCGHD89O_JZrgX1iEwx2bZ6EDrXAZDtQC6ESsmbJ12YqQRUekPHw&token_type=Bearer&expires_in=300&scope=profile+openid+email+monash-identity-api&state=66a566a3e93f48cda79da7dbe4a70977

这是来自服务器api的响应

API代码

/// <summary>
        /// Gets the Secrets Vaults Values 
        /// </summary>
        /// <returns></returns>
        [HttpGet("jwksSigningKeys")]
        [AllowAnonymous]
        public async Task<IActionResult> GetJwksSigningKeys()
        {
            using (var httpClient = new HttpClient())
            {
                var json = await httpClient.GetStringAsync("https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/v1/keys");
                return Ok(json);
            }
        }

---

在UI中，oidc客户端希望接收JavaScript对象。可能通过以下方式检查API的响应：

• console.log（apiResponse的类型）

感觉内容类型标头错误，oidc客户端接收到原始字符串

---

PS.完全同意mackie的评论-这是SPA的工作方式

您是否能够在CORS配置中允许客户端来源？这似乎是最简单的解决办法。

{
    "keys": [
        {
            "kty": "RSA",
            "alg": "RS256",
            "kid": "uo94e9FNT0uR2GsvS_DgcukxKCn9I0tlj4Co6dCWEEQ",
            "use": "sig",
            "e": "AQAB",
            "n": "pbnO8pzSDl_i2d84K8SXq34bt82e7MMagYT_pRgiBXmXqOYYoncqNFPLJtwabiDnPCN5g4RaPFaKSsHu18bwPSP8r1Yxqr9RZYKAFs8hf8C9h4MCcOfrOp7yc9LBMsf6APzg5d0KckjrfHFMy-UiiYgXvLC03xkojBvOGb8a7Tl9dwJC7iqu93YEHVCIArqYqJG3Y2p6KYD_knbq42AyQOZJ6-biIeqQ650mNJ3nJkhuJvZIKYIH70uNVO12W0o8hdzkiYaNCvolxI6O24Y-rb9OuvzkGsoT00CGgh9xUicqj52B_6dmMKc8Okr26QcIvfhK4ZGBQmm44ueFMaMP7w"
        },
        {
            "kty": "RSA",
            "alg": "RS256",
            "kid": "QgGjBI2Y9168xUoTBP8UDzie8Qtl1BoIYRVAcuMFQOM",
            "use": "sig",
            "e": "AQAB",
            "n": "sTGWJbTBe0tI2LnuDX4gbs-SXWiwtHTbVTbHtXz1QgKpJYr2Zejrwf-AwPfC3CGsDvNWG7TwTYjwlDmIeCRbnlitNmY3BQ-dhQRwKD5qxuEYhaMTXJlb_VEwJR8nknyLpJoHtpXZ03kXeWSJUSiyy--3I680J37gmI-P7M0YOOfACNFIy81-EzPfkqXbZgOuq-4XHh996vVkWnvIc39_5VXELxJVnnmJMokvLT7eDp1RHL3khcR-L71IvZl3wuJFy6Gxzdemdd8yNLoSMtCw41AcV_eJDNNSGPrE-IuBaflqdk8KvnyFSA0NtaFrNDzWNlS5GlT4ph6Bgrgaclmp7Q"
        }
    ]
}