Javascript OIDC客户端在手动JWKSigningKeys上保持刷新
由于CORS问题,我必须手动配置oidc设置以获取签名密钥 这是我的背景Javascript OIDC客户端在手动JWKSigningKeys上保持刷新,javascript,angular,asp.net-core,openid-connect,angular8,Javascript,Angular,Asp.net Core,Openid Connect,Angular8,由于CORS问题,我必须手动配置oidc设置以获取签名密钥 这是我的背景 getClientSettings(configuration: IOpenIdOptions): UserManagerSettings { return { authority: configuration.authority + '/', client_id: configuration.clientId, redirect_uri: configuration.redir
getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
return {
authority: configuration.authority + '/',
client_id: configuration.clientId,
redirect_uri: configuration.redirectUri,
post_logout_redirect_uri: configuration.redirectUri,
response_type: configuration.responseType, // "id_token token",
scope: "openid profile email " + configuration.apiResourceId,
filterProtocolClaims: true,
loadUserInfo: false,
automaticSilentRenew: true,
monitorSession: true,
silent_redirect_uri: configuration.silentRedirectUri,
accessTokenExpiringNotificationTime: 20, //default 60
checkSessionInterval: 5000, //default 2000
silentRequestTimeout: 20000, //default: 10000
// When CORS is disabled, token signing keys cannot be retrieved
// Manual the metadata and singinKeys for okta auth
metadata: {
jwks_uri: configuration.jwksUri,
authorization_endpoint: `${configuration.authority}/v1/authorize`,
issuer: configuration.authority
},
};
}
应用程序设置配置值
"openId": {
"authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxxxxxxxxxxxxx",
"clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"apiResourceId": "xxxxxxxxxxxxxxxxxxxxxx",
"redirectUri": "https://localhost:44307/auth-callback",
"silentRedirectUri": "https://localhost:44307/assets/silent-renew.html",
"responseType": "id_token token",
"jwksUri" : "https://localhost:44307/api/v1/system/jwksSigningKeys"
}
因为jwksUri指向api服务器url,所以我能够从api获取值。如果我直接将一个json文件放在前端,UI会工作得很好,但如果我指向服务器api,它会再次刷新并获得
我从OIDC客户那里得到的答复如下:
https://localhost:44307/auth-callback#id_token=eyJraWQiOiJ1bzk0ZTlGTlQwdVIyR3N2U19EZ2N1a3hLQ245STB0bGo0Q282ZENXRUVRIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUxaG85Y2E5b1RpYlA0WjM1NyIsIm5hbWUiOiJBbmFuZGEgamFpc3kiLCJlbWFpbCI6ImFuYW5kYS5qYWlzeUBwbGF5dGltZXNvbHV0aW9ucy5jb20uYXUiLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTE2NjU0NS5va3RhLmNvbS9vYXV0aDIvYXVzMWlnZDd5ZXdvQXM0eGEzNTciLCJhdWQiOiIwb2EyOW1hc2YyaVVtUlZ0dDM1NyIsImlhdCI6MTU3NzkzMzE2OCwiZXhwIjoxNTc3OTM2NzY4LCJqdGkiOiJJRC4zSDNlcldwQkZhbmVNZk52a2o5eml4V0V1c29ZYXp1SjZkMW4zcFF2S3VZIiwiYW1yIjpbInB3ZCJdLCJpZHAiOiIwMG8xaG83NWZqYnRnaGszbzM1NyIsIm5vbmNlIjoiMTAwNWI0NWIyZmI0NGFhMzhiMWMzNTIzMmIyY2YyMmMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhbmFuZGEuamFpc3lAcGxheXRpbWVzb2x1dGlvbnMuY29tLmF1IiwiYXV0aF90aW1lIjoxNTc3OTMzMTY0LCJhdF9oYXNoIjoiVEFkNWJYbDNMcDFxamNLNFo3aWVKQSJ9.lxAqN6993Qy15YrvVZJp3d5xk7QtsTYQCQw9shQ67r0_rnv3csC39IXv0_RBH4pviPP3aXNcp_o2W2Oz4QXMB3SvLKtwoLv4yBbuJ7QE751NkBlqHh4Ur8xXnhH-9_59tGrHvDupVTg3W6F27pAN1O9AY2qRTQCkfhutMEyLTL_KYHkk_hQ18zrOdIeTPk33iECct8YQeyDmkqlcoN-fxYyWIloTbX6cXu3wrK7KGEtnqPb6Lg0HvvHXPgmIvxdv3SE6OtjuoFVV-tSk-EEXczYf72ijjG_kh7TlINAIi3kJ4QhDtbHZ2j061TDlM3Q3rt1vaP1m2g-Uqd8H3FI6CA&access_token=eyJraWQiOiJ1bzk0ZTlGTlQwdVIyR3N2U19EZ2N1a3hLQ245STB0bGo0Q282ZENXRUVRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkpyTktuNU5pS0tFTWZNX1RpejR6cGNWRGhKVTF6aDlBekp6NFdmMWphajAiLCJpc3MiOiJodHRwczovL2Rldi0xNjY1NDUub2t0YS5jb20vb2F1dGgyL2F1czFpZ2Q3eWV3b0FzNHhhMzU3IiwiYXVkIjoibW9uYXNoU3dhZ2dlcklkZW50aXR5IiwiaWF0IjoxNTc3OTMzMTY4LCJleHAiOjE1Nzc5MzM0NjgsImNpZCI6IjBvYTI5bWFzZjJpVW1SVnR0MzU3IiwidWlkIjoiMDB1MWhvOWNhOW9UaWJQNFozNTciLCJzY3AiOlsicHJvZmlsZSIsIm9wZW5pZCIsImVtYWlsIiwibW9uYXNoLWlkZW50aXR5LWFwaSJdLCJzdWIiOiJhbmFuZGEuamFpc3lAcGxheXRpbWVzb2x1dGlvbnMuY29tLmF1IiwibW9uYXNoT2JqZWN0SUQiOiI4YzVkNDkzNC00Yzc1LTQ5ZTgtOTVkOS1hZTc0YjFhYmRlMzMiLCJva3RhSWQiOiI4YzVkNDkzNC00Yzc1LTQ5ZTgtOTVkOS1hZTc0YjFhYmRlMzMiLCJhdXRoZW50aWNhdGlvbi1tZXRob2QiOiJwYXNzd29yZCtjb2RlIn0.IFCF2UyzrPW8S1S7MQOXtsAxiXdI5tKmdcrg0JVDpEzVNd9bUKRgZ8IqrsTT8pWq9s3PDtt5XK_K8d6PcRroTO-b3Zzcw82NjZ6qwGMyG13CaEVzKwJCZ5M6_AukK7rF8bou9cPFb2T98gagzc7eHkNleyanb2utGHmuFrTxMerW_41RqD8UTS6qsZ3eBZBuAgtDNSM2kZsRor6_DqNsK7m1yP03s1uM0hhPmPHBbM338AJVAl_6kncwHyoHUCXjgUDlfoMMDcHy5I4xXgqUOO6_QYgg6n5MkeCCGHD89O_JZrgX1iEwx2bZ6EDrXAZDtQC6ESsmbJ12YqQRUekPHw&token_type=Bearer&expires_in=300&scope=profile+openid+email+monash-identity-api&state=66a566a3e93f48cda79da7dbe4a70977
这是来自服务器api的响应
API代码
/// <summary>
/// Gets the Secrets Vaults Values
/// </summary>
/// <returns></returns>
[HttpGet("jwksSigningKeys")]
[AllowAnonymous]
public async Task<IActionResult> GetJwksSigningKeys()
{
using (var httpClient = new HttpClient())
{
var json = await httpClient.GetStringAsync("https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/v1/keys");
return Ok(json);
}
}
在UI中,oidc客户端希望接收JavaScript对象。可能通过以下方式检查API的响应:
- console.log(apiResponse的类型)
PS.完全同意mackie的评论-这是SPA的工作方式您是否能够在CORS配置中允许客户端来源?这似乎是最简单的解决办法。
{
"keys": [
{
"kty": "RSA",
"alg": "RS256",
"kid": "uo94e9FNT0uR2GsvS_DgcukxKCn9I0tlj4Co6dCWEEQ",
"use": "sig",
"e": "AQAB",
"n": "pbnO8pzSDl_i2d84K8SXq34bt82e7MMagYT_pRgiBXmXqOYYoncqNFPLJtwabiDnPCN5g4RaPFaKSsHu18bwPSP8r1Yxqr9RZYKAFs8hf8C9h4MCcOfrOp7yc9LBMsf6APzg5d0KckjrfHFMy-UiiYgXvLC03xkojBvOGb8a7Tl9dwJC7iqu93YEHVCIArqYqJG3Y2p6KYD_knbq42AyQOZJ6-biIeqQ650mNJ3nJkhuJvZIKYIH70uNVO12W0o8hdzkiYaNCvolxI6O24Y-rb9OuvzkGsoT00CGgh9xUicqj52B_6dmMKc8Okr26QcIvfhK4ZGBQmm44ueFMaMP7w"
},
{
"kty": "RSA",
"alg": "RS256",
"kid": "QgGjBI2Y9168xUoTBP8UDzie8Qtl1BoIYRVAcuMFQOM",
"use": "sig",
"e": "AQAB",
"n": "sTGWJbTBe0tI2LnuDX4gbs-SXWiwtHTbVTbHtXz1QgKpJYr2Zejrwf-AwPfC3CGsDvNWG7TwTYjwlDmIeCRbnlitNmY3BQ-dhQRwKD5qxuEYhaMTXJlb_VEwJR8nknyLpJoHtpXZ03kXeWSJUSiyy--3I680J37gmI-P7M0YOOfACNFIy81-EzPfkqXbZgOuq-4XHh996vVkWnvIc39_5VXELxJVnnmJMokvLT7eDp1RHL3khcR-L71IvZl3wuJFy6Gxzdemdd8yNLoSMtCw41AcV_eJDNNSGPrE-IuBaflqdk8KvnyFSA0NtaFrNDzWNlS5GlT4ph6Bgrgaclmp7Q"
}
]
}