c# - 授权请求验证器 : Error: Invalid grant type for client: implicit

Question

我正在尝试在 .NET Core 2.0 MVC 上设置 Identity Server 4 HybridAndClientCredentials。

我正在为错误而苦苦挣扎:

Invalid grant type for client: implicit

即使我的代码中有:

AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

我已经下载了示例快速入门，它工作正常，但我无法通过我的代码找到缺少的那一行代码。

调试输出:

IdentityServer4.Validation.AuthorizeRequestValidator:
Error: Invalid grant type for client: implicit
{
  "ClientId": "consultee",
  "ClientName": "consultee Client test",
  "RedirectUri": "http://consultee.mi.local:44352/signin-oidc",
  "AllowedRedirectUris": [
    "http://consultee.mi.local:44352/signin-oidc"
  ],
  "SubjectId": "anonymous",
  "ResponseType": "id_token",
  "ResponseMode": "form_post",
  "GrantType": "implicit",
  "RequestedScopes": "",
  "State": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
  "Raw": {
    "client_id": "consultee",
    "redirect_uri": "http://consultee.mi.local:44352/signin-oidc",
    "response_type": "id_token",
    "scope": "openid profile api1 offline_access",
    "response_mode": "form_post",
    "nonce": "636626718480261618.MDYwZjE0MjMtNzczMi00ZjQ4LTk0NWUtZjQ1ZDNjM2VjZTRhOWI0NWM0MjMtNGM3Ni00ZDA3LWIyZDctMDcwNTc3ZDU0NGYy",
    "state": "CfDJ8KERs5ihv_5Ll9ddYi6Nj5lkLNGQptrJwHqbSD11g27zqVxPcKxLKvbMtd5ab5LPbV15yaCNlHlzpPgRQL4R2XSue8ka_fqLBWFfXad-sRNCyY03JxgL7HZDKDrph-G4hdvRRMvBtXUc0tq2tHd7ZGX7-djehs8aHD6-P_80UfFplHCYkvARV7I64Kb5ki4cFVmLE6G8EbWIUwir6HJpkgK1CbN_IuPtBTjaLZoBOEzpxWTRVaudsD4vZFxdTv4N51ufkn8jy7GPC0pf3xCGInQpA-FziHp681qmiWbCxlp9HuAIZBem-at9dNvC29yRBw4JbcoTSrjuHkq6G6gZtXVh1YuuQYIW9R4wklmlSEX4i8kxM8zJTog98Ce3OFsYnw",
    "x-client-SKU": "ID_NET",
    "x-client-ver": "2.1.4.0"
  }
}

客户:

new Client
{
    ClientId = "consultee",
    ClientName = "consultee Client test",
    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },

    RedirectUris = { "http://consultee.mi.local:44352/signin-oidc" },
    PostLogoutRedirectUris = { "http://consultee.mi.local:44352/signout-callback-oidc" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "api1"
    },
    AllowOfflineAccess = true,
    AllowAccessTokensViaBrowser = true,
}

客户端的ConfigurationService:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("Cookies")
        .AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["identityServerUri"];
            options.RequireHttpsMetadata = false;

            options.ClientId = "consultee";
            options.ClientSecret = "secret";

            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("api1");
            options.Scope.Add("offline_access");
        });
}

ConfigurationService 在IdServer:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        // configure identity server with in-memory stores, keys, clients and scopes
        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
            .AddTestUsers(Config.GetUsers());

        services.AddAuthentication();

    }

Answer 1

日志告诉你那个问题是什么

Error: Invalid grant type for client: implicit

您正在作为隐式客户端登录。

.AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["identityServerUri"];
            options.RequireHttpsMetadata = false;

            options.ClientId = "consultee";
            options.ClientSecret = "secret";

            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("api1");
            options.Scope.Add("offline_access");
        });

您已经在身份服务器中配置了一个混合客户端

new Client
            {
                ClientId = "consultee",
                ClientName = "consultee Client test",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },

                RedirectUris = { "http://consultee.migrology.local:44352/signin-oidc" },
                PostLogoutRedirectUris = { "http://consultee.migrology.local:44352/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "api1"
                },
                AllowOfflineAccess = true,
                AllowAccessTokensViaBrowser = true,
            }

所以服务器不会允许你这样做。您需要更改您的代码以作为混合登录或将您的客户端更改为隐式客户端。

更改为混合

为了将隐式登录更改为混合登录，您需要更改一些内容。

• 配置 ClientSecret 以匹配 IdentityServer 的 secret 。
• 添加 offline_access
• 添加范围(api1)
• 将 ResponseType 设置为 code id_token(这基本上意味着“使用混合流”)(你错过了这个)