私はIdentityServer4を起動しています。私は今、今、認証しようとすると、私は次のエラーを取得する:IdentityServer4: "サブ"スコープはどうですか?
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
fail: IdentityServer4.Validation.ScopeValidator[0]
Requested scope not allowed: sub
私は/.well-known/openid-configuration/からオープンIDの文書を取得すると、私はサポート範囲として取得:
["address","phone","openid","email","profile","api1","offline_access"]
supported_scopeに「サブ」スコープはありません。私は、起動時に次のことを試してみました
{"issuer":"http://localhost:5000","jwks_uri":"http://localhost:5000/.well-known/openid-configuration/jwks","authorization_endpoint":"http://localhost:5000/connect/authorize","token_endpoint":"http://localhost:5000/connect/token","userinfo_endpoint":"http://localhost:5000/connect/userinfo","end_session_endpoint":"http://localhost:5000/connect/endsession","check_session_iframe":"http://localhost:5000/connect/checksession","revocation_endpoint":"http://localhost:5000/connect/revocation","introspection_endpoint":"http://localhost:5000/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"scopes_supported":["openid","address","phone","openid","email","profile","api1","offline_access"],"claims_supported":["sub","address","phone_number","phone_number_verified","email","email_verified","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"code_challenge_methods_supported":["plain","S256"]}
:ここ
は完全な設定文書で次のように
app.UseIdentity();
app.UseIdentityServer();
var allowedScopes = new []{"address","phone","email","profile","api1","offline_access", "sub"};
var identityAuthOptions = new IdentityServerAuthenticationOptions();
identityAuthOptions.AllowedScopes = allowedScopes;
identityAuthOptions.AutomaticAuthenticate = true;
identityAuthOptions.AutomaticChallenge = true;
app.UseIdentityServerAuthentication(identityAuthOptions);
IdentityServerのための私の構成が見えます:
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddAspNetIdentity<ApplicationUser>()
.AddOperationalStore(options =>
options.UseSqlite(Configuration.GetConnectionString("PersistedGrants"),
builder => builder.MigrationsAssembly(Assembly.GetEntryAssembly().FullName)))
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetUsers())
.AddInMemoryIdentityResources(Config.GetIdentityResources());
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
Configクラスはこれです:
public class Config
{
// scopes define the resources in your system
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Address(),
new IdentityResources.Phone(),
new IdentityResources.OpenId(),
new IdentityResources.Email(),
new IdentityResources.Profile()
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1", "Main API", new[]{ "sub" })
};
}
// clients want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
// client credentials client
return new List<Client>
{
new Client
{
ClientId = "actionCommunity",
AllowPlainTextPkce = true,
AlwaysSendClientClaims = true,
AllowRememberConsent = true,
AlwaysIncludeUserClaimsInIdToken = true,
AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
RedirectUris = {
"http://localhost:3333/login-success",
"http://localhost:3000/login-success",
"http://localhost:3000/auth.html"
},
AllowAccessTokensViaBrowser = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = {
"api1", "sub",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.OfflineAccess,
IdentityServerConstants.StandardScopes.Address,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.Phone,
IdentityServerConstants.StandardScopes.Profile,
},
AllowOfflineAccess = true
}
};
}
public static List<TestUser> GetUsers()
{
return new List<TestUser>
{
new TestUser
{
SubjectId = "1",
Username = "testUser",
Password = "testPassword",
Claims = new List<Claim>
{
new Claim("name", "Testuser"),
new Claim("website", "https://www.testuser.de")
}
},
new TestUser
{
SubjectId = "2",
Username = "bob",
Password = "password",
Claims = new List<Claim>
{
new Claim("name", "Bob"),
new Claim("website", "https://bob.com")
}
}
};
}
}
だから私は何をしようと、私は奇妙な 'サブ'スコープを得ることができません。
誰でも私を助けることができますか?
さて、私は正午にそれを試してみます。このコードスニペットはサブクレームを追加しますか?このサブクレームは何ですか、それは何ですか? –
サブクレームについて@Scott Bradyからのコメントを参照してください。スコープまたはリソースのUserClaimを設定することで追加できます。 'UserClaims = {JwtClaimTypes.Subject}、' –