gpt4 book ai didi

c# - ASP.NET Core 3.0 身份服务器 4 (4.0.0) SecurityTokenInvalidAudienceException : IDX10214: Audience validation failed. 受众: 'empty'

转载 作者:行者123 更新时间:2023-12-03 17:44:01 36 4
gpt4 key购买 nike

我在 postman 和 IdentityServer 4 之间不断收到以下错误

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'MyNumberV2Api' or validationParameters.ValidAudiences: 'null'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'MyNumberV2Api' or validationParameters.ValidAudiences: 'null'.
IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler: Information: Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'MyNumberV2Api' or validationParameters.ValidAudiences: 'null'.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: BearerIdentityServerAuthenticationJwt was challenged.
IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler: Information: AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 1140.9671ms 401
The program '[12792] iisexpress.exe: Program Trace' has exited with code 0 (0x0).
The program '[12792] iisexpress.exe' has exited with code -1 (0xffffffff)..
  • 在我的身份服务器 Startup.cs
  •  public void ConfigureServices(IServiceCollection services)
    {
    services.AddIdentityServer(
    options => {
    options.Events.RaiseErrorEvents = true;
    options.Events.RaiseInformationEvents = true;
    options.Events.RaiseFailureEvents = true;
    options.Events.RaiseSuccessEvents = true;
    options.IssuerUri = "http://localhost:5000";
    }
    )
    .AddDeveloperSigningCredential()
    .AddInMemoryApiResources(Config.GetAllApiResources())
    .AddInMemoryClients(Config.GetClients())
    //.AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiScopes(Config.GetApiScopes());
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
    if (env.IsDevelopment())
    {
    app.UseDeveloperExceptionPage();
    }
    app.UseIdentityServer();
    app.UseRouting();

    app.UseEndpoints(endpoints =>
    {
    endpoints.MapGet("/", async context =>
    {
    await context.Response.WriteAsync("Hello World!");
    });
    });
    }
  • 这是我的 API 的 startup.cs
  • 的核心
     public void ConfigureServices(IServiceCollection services)
    {

    services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
    {
    options.Authority = "http://localhost:5000";
    options.RequireHttpsMetadata = false;
    options.ApiName = "MyNumberV2Api";
    });
    #region AddAuthentication

    services.AddDbContext<MyNumberV2.Data.MyNumberV2Context>(options =>
    options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    IdentityModelEventSource.ShowPII = true;

    services.AddScoped<IAdminUserRepository, AdminUserRepository>();

    services.AddCors(options =>
    {
    options.AddPolicy("Open", builder => builder.AllowAnyOrigin().AllowAnyHeader());
    });
    services.AddMvcCore();
    services.AddControllers();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
    if (env.IsDevelopment())
    {
    app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthorization();

    app.UseAuthentication();

    app.UseCors("Open");

    app.UseEndpoints(endpoints =>
    {
    endpoints.MapControllers();
    });
  • 这是我的完整解决方案代码的公共(public)仓库:https://github.com/zachion/blazor-auth
  • 这是我在 postman 中生成身份验证 token 的方式:
    enter image description here
  • 这是我获取 token 的请求的正文部分,我在其中添加了 资助类型和
    范围
    .
    enter image description here
  • 我从响应中获取 token 并将其添加到后续请求中以尝试访问实际的 api Controller 。
  • 这是我在 postman 中添加身份验证 token 的方法。发行 token 工作正常
    enter image description here
  • 这是我使用的完整 postman 集合:

  • {
    "info": {
    "_postman_id": "089a85df-ae4b-41c3-8d1e-9d2e4ff8f7c8",
    "name": "MYNumberV2.Api Copy",
    "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
    },
    "item": [
    {
    "name": "Generate Tokent API One",
    "request": {
    "auth": {
    "type": "basic",
    "basic": [
    {
    "key": "password",
    "value": "secret",
    "type": "string"
    },
    {
    "key": "username",
    "value": "client",
    "type": "string"
    }
    ]
    },
    "method": "POST",
    "header": [],
    "body": {
    "mode": "urlencoded",
    "urlencoded": [
    {
    "key": "grant_type",
    "value": "client_credentials",
    "type": "text"
    },
    {
    "key": "scope",
    "value": "MyNumberV2Api",
    "type": "text"
    }
    ],
    "options": {
    "urlencoded": {}
    }
    },
    "url": {
    "raw": "http://localhost:5000/connect/token",
    "protocol": "http",
    "host": [
    "localhost"
    ],
    "port": "5000",
    "path": [
    "connect",
    "token"
    ]
    }
    },
    "response": []
    },
    {
    "name": "api/adminuser",
    "protocolProfileBehavior": {
    "disableBodyPruning": true
    },
    "request": {
    "auth": {
    "type": "noauth"
    },
    "method": "GET",
    "header": [
    {
    "key": "Authorization",
    "type": "text",
    "value": "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjNENDZERDNFQ0NGNTNCNkMyNEZEMjlFOUEzQzE2RjVDIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE1OTM0NTQyNTQsImV4cCI6MTU5MzQ1Nzg1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiY2xpZW50X2lkIjoiY2xpZW50IiwianRpIjoiQ0QxQzY5QzVGRkI0MTA0RDU5MTUwNERFQkI0MkI3NjgiLCJpYXQiOjE1OTM0NTQyNTQsInNjb3BlIjpbIk15TnVtYmVyVjJBcGkiXX0.xvAs-IYh_sh8RmpNOcy4Rl78Jv2L2-vPE7FYeEVqxES2HBoTEEgPT7uV5MiZrVeK1OaLOrkERzZ4druHrBtKgaeJ-BoC_IUt5Lp_otnJVbmCgGtrPXk8RMKcZguvxQsJdD5rqHLNZaN07kMNQEmmAprSAPpixtErzMK5DEmaAee2PNi430AyiZnObYbUBm_07Un5_6cjpOSFltjzsABBOzsbWfXIbXwvynCUVEiN5_mHhhjgocPcvlzrHdDtUi_PbdBk_hhtouTlveIaCTyNGdhfR4JCTJjO069hVVCXHScrekjNPeRSC4eOFEesmdG-4IbPKWBLsKldc1SrC1DE-w"
    }
    ],
    "body": {
    "mode": "urlencoded",
    "urlencoded": [
    {
    "key": "grant_type",
    "value": "client_credentials",
    "type": "text",
    "disabled": true
    },
    {
    "key": "scope",
    "value": "MyNumberV2Api",
    "type": "text",
    "disabled": true
    }
    ],
    "options": {
    "urlencoded": {}
    }
    },
    "url": {
    "raw": "http://localhost:44340/api/adminuser",
    "protocol": "http",
    "host": [
    "localhost"
    ],
    "port": "44340",
    "path": [
    "api",
    "adminuser"
    ]
    },
    "description": "https://localhost:44340/api/adminuser"
    },
    "response": []
    },
    {
    "name": "api/adminuserdetail/1",
    "request": {
    "method": "GET",
    "header": [],
    "url": {
    "raw": "http://localhost:44340/api/adminuserdetail/1",
    "protocol": "http",
    "host": [
    "localhost"
    ],
    "port": "44340",
    "path": [
    "api",
    "adminuserdetail",
    "1"
    ]
    },
    "description": "https://localhost:44340/api/adminuser"
    },
    "response": []
    }
    ],
    "protocolProfileBehavior": {}
    }

    最佳答案

    您的代码中有 2 个问题,我从简单的一个开始修复:

  • 在您的 API's startup class 上,将 app.UseAuthentication(); 移动到 app.UseAuthorization(); 之前。正确的顺序对安全至关重要。阅读更多 here 。类似问题 here
  • 第二个问题是,在 API 上,您要求观众 = MyNumberV2Api 但如果您在 https://jwt.ms/ 上检查当前 token ,则 token 中没有 aud 作为 MyNumberV2Api。阅读更多 here 。为了解决这个问题,我们有两个选择:
    2.1。更改 API 以删除受众验证。要在 API 启动类上执行此操作,请使用 AddJwtBearer 而不是 AddIdentityServerAuthentication 并设置 ValidateAudience = false 。更改后的代码是这样的:
    services.AddAuthentication("Bearer").AddJwtBearer("Bearer",
    options =>
    {
    options.Authority = "http://localhost:5000";
    options.Audience = "MyNumberV2Api";
    options.RequireHttpsMetadata = false;

    options.TokenValidationParameters = new
    TokenValidationParameters()
    {
    ValidateAudience = false
    };
    });
    2.2.将受众添加到 token 。在 IdentityServer - Config.cs 上,将范围添加到 API 资源:
    return new List<ApiResource>()
    {
    new ApiResource("MyNumberV2Api","Customer API for MyNumberV2")
    {
    Scopes = new []{ "MyNumberV2Api" }
    },
    new ApiResource("ApiOne","Customer API for MyNumberV2"),
    new ApiResource("ApiTwo","Customer API for MyNumberV2")
    };

    在此更改之后,如果您重新生成 token ,则会有一个属性为 aud ,其值为 MyNumberV2Api 。检查 https://jwt.ms/ 上的 token

  • 我建议您先在 http 上测试所有内容,然后再在 https 上尝试。对于 http,您可能需要删除代码中的 app.UseHttpsRedirection(); 并清理 launchSettings.json 以删除 https URLS 并确保 "sslPort": 0

    关于c# - ASP.NET Core 3.0 身份服务器 4 (4.0.0) SecurityTokenInvalidAudienceException : IDX10214: Audience validation failed. 受众: 'empty',我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62645604/

    36 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com