我遇到一个间歇性问题,有时会阻止升级者登录我的网站。当他们登录时,当他们从 OpenIDDict 服务器重定向时,会遇到以下错误。
error:invalid_token
error_description:The issuer associated to the specified token is not valid.
error_uri:https://documentation.openiddict.com/errors/ID2088
我发现通常可以刷新页面,错误就会消失,但我不希望普通用户这样做。我遵循 OpenIDDict 中的 dantooine webassemble 示例。这个问题的奇怪之处在于,它仅在部署到我的 Azure 应用服务时在生产中发生。
客户端配置:
#region OpedIdDict
builder.Services.AddDbContext<ApplicationDbContext>(options =>
{
options.UseSqlite(...);
options.UseOpenIddict();
});
builder.Services.AddAntiforgery(options =>
{
options.HeaderName = ...;
options.Cookie.Name = ...;
options.Cookie.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.LoginPath = ...;
options.LogoutPath = ...;
options.ExpireTimeSpan = ...;
options.SlidingExpiration = false;
options.ClaimsIssuer = ...;
});
builder.Services.AddQuartz(options =>
{
options.UseMicrosoftDependencyInjectionJobFactory();
options.UseSimpleTypeLoader();
options.UseInMemoryStore();
});
builder.Services.AddQuartzHostedService(options => options.WaitForJobsToComplete = true);
builder.Services.AddOpenIddict()
.AddCore(options =>
{
options.UseEntityFrameworkCore().UseDbContext<ApplicationDbContext>();
options.UseQuartz();
})
.AddClient(options =>
{
options.AllowAuthorizationCodeFlow();
var certificate = ...;
options.AddSigningCertificate(certificate);
options.AddEncryptionCertificate(certificate);
options.UseAspNetCore()
.EnableStatusCodePagesIntegration()
.EnableRedirectionEndpointPassthrough()
.EnablePostLogoutRedirectionEndpointPassthrough();
options.UseSystemNetHttp()
.SetProductInformation(typeof(Program).Assembly);
options.AddRegistration(new OpenIddictClientRegistration
{
Issuer = ...,
ClientId = ...,
ClientSecret = ...,
Scopes = { Scopes.Profile, Scopes.Email, Scopes.Phone },
RedirectUri = new Uri(...),
PostLogoutRedirectUri = new Uri(...)
});
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("CookieAuthenticationPolicy", builder =>
{
builder.AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme);
builder.RequireAuthenticatedUser();
});
});
builder.Services.AddReverseProxy()
.LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
.AddTransforms(builder => builder.AddRequestTransform(async context =>
{
var token = await context.HttpContext.GetTokenAsync(
scheme: CookieAuthenticationDefaults.AuthenticationScheme,
tokenName: Tokens.BackchannelAccessToken);
context.ProxyRequest.Headers.Authorization = new AuthenticationHeaderValue(Schemes.Bearer, token);
}));
builder.Services.AddHostedService<Worker>();
#endregion
事实证明这是从裸域导航的问题。我的重定向配置为 www。但该网站不是 www。有一次我强迫网站变成www。问题已自行解决。