我知道对此有很多疑问,但我发现没有任何东西可以解决我的问题。
设置:
services.AddControllersWithViews();
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.IdentityResources)
.AddInMemoryApiScopes(Config.ApiScopes)
.AddInMemoryClients(Config.Clients)
.AddTestUsers(TestUsers.Users);
builder.AddDeveloperSigningCredential();
// resource owner password grant client
new Client
{
ClientId = "ro.client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "api1" }
}
new TestUser
{
SubjectId = "818727",
Username = "alice",
Password = "alice",
Claims =
{
new Claim(JwtClaimTypes.Name, "Alice Smith"),
new Claim(JwtClaimTypes.GivenName, "Alice"),
new Claim(JwtClaimTypes.FamilyName, "Smith"),
new Claim(JwtClaimTypes.Email, "[email protected]"),
new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
new Claim(JwtClaimTypes.WebSite, "http://alice.com"),
new Claim(JwtClaimTypes.Address, JsonSerializer.Serialize(address), IdentityServerConstants.ClaimValueTypes.Json)
}
}
邮递员回复:
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkE1RkQ2QzlFN0I0QTYzRjJDOERBM0IyRDkxODA1MTAxIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MjE1NDk1OTYsImV4cCI6MTYyMTU1MzE5NiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImNsaWVudF9pZCI6InJvLmNsaWVudCIsInN1YiI6IjgxODcyNyIsImF1dGhfdGltZSI6MTYyMTU0OTU5NiwiaWRwIjoibG9jYWwiLCJqdGkiOiJFNDYxMjg1NkRDMzhBNkYxRTE3OTRGRkE2OURGMjY2MiIsImlhdCI6MTYyMTU0OTU5Niwic2NvcGUiOlsiYXBpMSJdLCJhbXIiOlsicHdkIl19.mThB_nrdwF28hvSDGllfZuZLIAaHirUzf0XJpkkVAjtJeWh6t73uf05Zbtuxc0pvh81MSvAs38firgXew00XqBHKJtEE8aLQpitnzu5SUfAsAlLCz281T9V7yH-YblBTm5z9ZR-5rJBoqFwbPQ8j_GhZeCxskFKbpjIcdfXcndSBFywu2yM5NEow3YNdtxdFHqChDt1WNT9Mk0GV17iN0Rg6ZlMbgZcF0zEinJDfccvMWyWvbWvqvtl4E6Yq53kEKiD8Y5p3HU2Bac8J54sXVuhFKWammLkZwnF2Qw0h_cFkoocxmA6lyeXlLb2vWqmcdZg_fi_M2SHKuKm6GHT-6w",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "api1"
}
但是,当我将 access_token 粘贴到 jwt.io 中时,令牌可以按照我期望的一切正常解码,但会显示为无效签名。这会影响在其他地方验证令牌。
有人可以帮助我吗?
当您在服务器中使用此功能时:
builder.AddDeveloperSigningCredential();
如果找不到现有密钥文件,IdentityServer 将在每个部署上重新生成新的签名密钥。因此,在生产中,您不应使用 AddDeveloperSigningCredential,而应使用 AddSigningCredential 方法来添加更永久的密钥。
参见此页
据我所知,这与 PKCE 代码有关。当您收到此错误时,尤其是在 API 资源中。每个使用 Identity server 4 生成令牌或验证令牌的 Api 和客户端都必须使用 pkce 。在 API swagger 中,您必须在配置中添加 pkce。