Openiddict 自省(introspection)不起作用(访问 token 无效。)

Question

我有 3 个项目，1-SPA，2-Web API 项目，3-Identity(使用 openiddict 设置，ASP.NET Core 2.0(OpenIddict.dll 版本 2.0.0.-rc2-0854)和 EF Core。

API 和 Identity Server 运行成功，可以获取 jwt token ，但是，当我尝试从具有授权属性的 API 方法获取值时，出现错误:

WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid." 

在 Application Insights 中，可以看到 POST/connect/introspect 被调用，结果依赖结果代码:500 和依赖代码:Http

相同的代码以前工作过，不确定哪些更改会破坏内省(introspection)。

API项目中的配置

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
        })
          .AddOAuthIntrospection(options =>
          {
              options.Authority = new Uri("http://localhost:49888");
              options.ClientId = "my-resource-server";
              options.ClientSecret = "ClientSecret";
              options.RequireHttpsMetadata = false;
          });
        services.AddCors();           
        services.AddMvc()
            .AddJsonOptions(options =>
             {
                 options.SerializerSettings.Formatting = Formatting.None;
             });

授权方法

  [HttpGet("GetData/{Id}")]
    [Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
    [Authorize(Roles = "Admin")]
    public IActionResult GetData(int courseId)
    {
 }

在身份项目中连接/内省(introspection)

  private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
    {
        UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);

        if (userInfo == null)
        {
            return null;
        }

        // Create a new ClaimsIdentity holding the user identity.
        var identity = new ClaimsIdentity(
            OpenIdConnectServerDefaults.AuthenticationScheme,
            OpenIdConnectConstants.Claims.Name,
             OpenIdConnectConstants.Claims.Role
           );

        // Add a "sub" claim containing the user identifier, and attach
        // the "access_token" destination to allow OpenIddict to store it
        // in the access token, so it can be retrieved from your controllers.
        identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
            user.UserId.ToString(),
            OpenIdConnectConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
            OpenIdConnectConstants.Destinations.AccessToken);

        identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
           OpenIdConnectConstants.Destinations.AccessToken);

        // ... add other claims, if necessary.
        var principal = new ClaimsPrincipal(identity);

        // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal,
            new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
            OpenIdConnectServerDefaults.AuthenticationScheme);

.
.

Answer 1

从 RC2 开始，OpenIddict 可以正式用于第三方应用程序(即您不拥有的客户端)。因此，我们不能再假设所有注册的应用程序都是合法的并且可以自由地反省代币。

为了使事情明确，您现在必须指定能够内省(introspection) token 的客户端标识符列表。为此，请在创建票证时添加以下代码:

var ticket = new AuthenticationTicket(
    new ClaimsPrincipal(identity),
    new AuthenticationProperties(),
    OpenIdConnectServerDefaults.AuthenticationScheme);

ticket.SetResources("tracking_api", "marketing_api");

资源必须与使用自省(introspection)处理程序分配给资源服务器的 client_id 完全匹配:

services.AddAuthentication()
    .AddOAuthIntrospection(options =>
    {
        options.Authority = new Uri("http://localhost:12345/");
        options.ClientId = "marketing_api";
        options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
        options.RequireHttpsMetadata = false;
    });

https://openiddict.github.io/openiddict-documentation/guide/migration.html#if-your-authorization-server-uses-introspection-make-sure-resources-are-set-in-the-authentication-ticket