oauth-2.0 - Identity Server 4 - 出现 invalid_client 错误

Question

我是 Identity Server 的新手。我之前没有配置过。但我正在开展的项目需要它。

该 API 将为 Angular JS 客户端、iOS 应用程序和 Android 应用程序提供服务。我们需要实现身份验证和授权。

注意:我正在尝试在同一个 Web API 项目中配置 Identity Server 和我的 API。

我已按照文档进行操作并配置了 Identity Server，如下所示:

在startup.cs中的ConfigureServices()

        services.AddTransient<IProfileService, CustomProfileService>();
        services.AddTransient<IResourceOwnerPasswordValidator, CustomResourceOwnerPasswordValidator>();



        services.AddIdentityServer()
            .AddTemporarySigningCredential()
            // add the resources that need to be secured
            .AddInMemoryApiResources(IdentityServerConfig.Resources.GetApiResources())
            // add the clients that will be access the ApiResources
            .AddInMemoryClients(IdentityServerConfig.Clients.GetClients());

CustomProfileService 和 CustomResourceOwnerPasswordValidator 与此答案相同:https://stackoverflow.com/a/35306021/1910735

在Configure()

中

        // as this API will also be acting as an
        app.UseIdentityServer();


        // now setup the Identity Server client, this API will also be the client 

        app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://localhost:44337",
            RequireHttpsMetadata = false,


            ApiName = "obApi"
        });

这是GetClients()

    public static IEnumerable<Client> GetClients()
    {
        var clients = new List<Client>();



        var websiteGrants = new List<string> { GrantType.ResourceOwnerPassword };
        var secret = new Secret("secret".Sha256());

        var websiteClient = new Client()
        {
            // we will be using Angular JS to access the API - so naming it js
            ClientId = "js",

            // just a human friendly name
            ClientName = "JavaScript Client",

            // set to GrantType.ResourceOwnerPassword - because using Username/Password to login
            AllowedGrantTypes = websiteGrants, 

            // secret for authentication
            //TODO: Change the secret 
            ClientSecrets = { secret },

            // we need to access the fhApi from Angular JS front-end 
            // fhApi is defined in Resources file as an API Resource
            AllowedScopes = { "obApi" }
        };


        clients.Add(websiteClient);

        return clients;
    }

这是GetApiResources()

    public static IEnumerable<ApiResource> GetApiResources()
    {
        // e.g. if we want to protect an API called api1 - then we will add it here
        // these values are hard coded for now - but we can get from DB, config file etc.

        return new List<ApiResource>
                        {
                            new ApiResource("obApi", "Order2Bite API")
                        };
    }

现在因为我想使用 Angular JS、iOS 和 Android，我只想从身份服务器获取访问 token ，然后使用访问 token 进行身份验证和授权。

为此，我尝试从 JS 客户端访问 /connect/token

但我收到 invalid_client 错误。

        var user = { client_id: "js", grant_type: 'password', username: "testuser", password: "testpasswrd", scope: 'obApi' };

        var urlEncodedUrl = {
            'Content-Type': 'application/x-www-form-urlencoded',
        };

        this.$http({
            method: 'POST', url: "http://localhost:44337/connect/token",
            headers: urlEncodedUrl,
            data: user,

        })
            .then(data => {
                console.log(data)
            },
            data => {
                console.log(data)

            });

我在服务器端收到的错误是“找不到客户端标识符”:

1 - 为什么我会收到此错误？

2 - 由于我需要在 JS、Android 和 iOS 中以编程方式获取 token ，因此我需要使用 /connect/token，我对此是否正确？我走的路正确吗？

Answer 1

invalid_client 错误通常意味着客户端 ID 或客户端 key 不正确。在这种情况下，您不会在对 IdentityServer 的请求中包含客户端 key 。将“client_secret: 'secret'” 添加到您的请求

更新数据:

 var user = { client_id: "js", client_secret: "secret", grant_type: 'password', username: "testuser", password: "testpasswrd", scope: 'obApi' };

或者，您不能在客户端配置中要求 ClientSecret

var websiteClient = new Client()
{
    // we will be using Angular JS to access the API - so naming it js
    ClientId = "js",

    // just a human friendly name
    ClientName = "JavaScript Client",

    // set to GrantType.ResourceOwnerPassword - because using Username/Password to login
    AllowedGrantTypes = websiteGrants,

    // secret for authentication
    //TODO: Change the secret 
    ClientSecrets = { secret },

    // Disable client secret validation
    RequireClientSecret = false,

    // we need to access the fhApi from Angular JS front-end 
    // fhApi is defined in Resources file as an API Resource
    AllowedScopes = { "obApi" }
};

这是来自 IdentityServer4 ClientSecretValidator.cs 的片段，其中包含您返回的确切错误作为证据 https://github.com/IdentityServer/IdentityServer4/blob/release/src/IdentityServer4/Validation/ClientSecretValidator.cs

var parsedSecret = await _parser.ParseAsync(context);
if (parsedSecret == null)
{
    await RaiseFailureEvent("unknown", "No client id found");

    _logger.LogError("No client identifier found");
    return fail;
}

关于获取 JS、Android 和 iOS token 的第二个问题，您可能需要考虑针对每种情况使用哪种 OpenID 授予类型。我从 IdentityServer 开发人员那里看到的一般建议是对 Web 应用程序和授权代码(或混合)流使用隐式流。你可以在这里读更多关于它的内容: http://docs.identityserver.io/en/release/topics/grant_types.html