При использовании IdentityServer4 я получаю «Требуется проверка кода»

Question

Я пытаюсь перенаправить на IdentityServer для авторизации и получаю «вызов кода требуется» в URL перенаправления.

В сообщении об ошибке отображается invalid_request с требованием вызова кода, а также мое перенаправление url http://localhost: 44367 / signin-oidc # error = invalid_request & error_description = code% 20challenge% 20required & state = CfDJ8Cq6lLUEMhZLqMhFVN

Вот моя конфигурация клиента:

namespace TestClient
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddControllersWithViews();

            ConfigureIdentityServer(services);
            services.AddCors();
        }

        private void ConfigureIdentityServer(IServiceCollection services)
        {
            var builder = services.AddAuthentication(options => SetAuthenticationOptions(options));
            services.AddMvcCore()
                .AddAuthorization();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);

            builder.AddCookie();
            builder.AddOpenIdConnect(options => SetOpenIdConnectOptions(options));
        }

        private void SetAuthenticationOptions(AuthenticationOptions options)
        {
            options.DefaultScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectDefaults.AuthenticationScheme;
        }

        private void SetOpenIdConnectOptions(OpenIdConnectOptions options)
        {
            options.Authority = "https://localhost:44346";
            options.ClientId = "TestIdentityServer";
            options.RequireHttpsMetadata = false;
            options.Scope.Add("profile");
            options.Scope.Add("openid");
            options.Scope.Add("TestIdentityServer");
            options.ResponseType = "code id_token";
            options.SaveTokens = true;
            options.ClientSecret = "0b4168e4-2832-48ea-8fc8-7e4686b3620b";
        }


        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

            }
            app.UseHsts();
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseCors(builder => builder
                .AllowAnyOrigin()
                .AllowAnyHeader()
                .AllowAnyMethod()
            );

            app.UseCookiePolicy();
            app.UseRouting();

            app.UseAuthentication();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

1012 *1011* 101 вот моя конфигурация IdentityService4

  public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;

        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            IdentityModelEventSource.ShowPII = true;
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
            services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
                .AddEntityFrameworkStores<ApplicationDbContext>();
            services.AddControllersWithViews();
            services.AddRazorPages();

            services.AddMvc().SetCompatibilityVersion(Microsoft.AspNetCore.Mvc.CompatibilityVersion.Version_3_0);
            services.Configure<IISOptions>(iis =>
            {
                iis.AuthenticationDisplayName = "Windows";
                iis.AutomaticAuthentication = false;
            });

            var builder = services.AddIdentityServer(options =>
            {
                options.Events.RaiseErrorEvents = true;
                options.Events.RaiseInformationEvents = true;
                options.Events.RaiseFailureEvents = true;
                options.Events.RaiseSuccessEvents = true;
            });
            // this adds the config data from DB (clients, resources)

            builder.AddInMemoryIdentityResources(Configuration.GetSection("IdentityResources"));
            builder.AddInMemoryApiResources(Configuration.GetSection("ApiResources"));
            builder.AddInMemoryClients(Configuration.GetSection("clients"));

            services.AddAuthentication();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

            }
            app.UseHsts();
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();
            app.UseIdentityServer();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }
    }

и настройки приложений. json

"IdentityResources": [
    {
      "Name": "openid",
      "DisplayName": "Your user identifier",
      "Required": true,
      "UserClaims": [
        "sub"
      ]
    },
    {
      "Name": "profile",
      "DisplayName": "User profile",
      "Description": "Your user profile information (first name, last name, etc.)",
      "Emphasize": true,
      "UserClaims": [
        "name",
        "family_name",
        "given_name",
        "middle_name",
        "preferred_username",
        "profile",
        "picture",
        "website",
        "gender",
        "birthdate",
        "zoneinfo",
        "locale",
        "updated_at"
      ]
    }
  ],

  "ApiResources": [
    {
      "Name": "TestIdentityServer",
      "DisplayName": "TestIdentityServer API Services",
      "Scopes": [
        {
          "Name": "TestIdentityServer",
          "DisplayName": "TestIdentityServer API Services"
        }
      ]
    }
  ],

  "Clients": [
    {
      "ClientId": "TestIdentityServer",
      "ClientName": "TestIdentityServer Credentials Client",

      // 511536EF-F270-4058-80CA-1C89C192F69A
      "ClientSecrets": [ { "Value": "entAuCGhsOQWRYBVx26BCgZxeMt/TqeVZzzpNJ9Ub1M=" } ],
      "AllowedGrantTypes": [ "hybrid" ],
      "AllowedScopes": [ "openid", "profile", "TestIdentityServer" ],
      "RedirectUris": [ "http://localhost:44367/signin-oidc" ],
      //"FrontChannelLogoutUris": [ "http://localhost:44367/Home/Privacy" ],
      //"PostLogoutRedirectUris": [ "http://localhost:44367/Home/Privacy" ],
      "redirect_uri": "http://localhost:44367/signin-oidc"
    }

Answer 1

Получил эту ошибку сегодня и решил ее, переключившись с:

options.ResponseType = "code id_token";

на

options.ResponseType = "code";
options.UsePkce = true;

Вот мои полные варианты на стороне клиента:

options.Authority = "http://localhost:8000";
options.RequireHttpsMetadata = false; // dev only

options.ClientId = "testAPI";
options.ClientSecret = secret;

// code flow + PKCE (PKCE is turned on by default)
options.ResponseType = "code";
options.UsePkce = true;

options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("offline_access");
options.Scope.Add("testAPI");

options.ClaimActions.MapJsonKey("website", "website");

//options.ResponseMode = "form_post";
//options.CallbackPath = "/signin-oidc";

// keeps id_token smaller
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;

Кроме того, поскольку я использую IdentityServer на docker и тестирую клиент на хосте, мне пришлось настроить дополнительный Uri перенаправления, чтобы иметь возможность тестировать:

RedirectUris =
{
    "http://localhost:5001/signin-oidc",
    "http://host.docker.internal:5001/signin-oidc",
    "http://notused"
},

Я основываю свою реализацию на Domini c образцы Байера на GitHub .

Редактировать: Теперь я понял, что для моего случая тип ответа может быть только "code" потому что моя конфигурация клиента для кода авторизации + PKCE (поток OAuth2). У вас настроен «гибрид» (поток OID C), который поддерживает «код id_token», поэтому, хотя мы получили одно и то же сообщение об ошибке, проблема была в другом.