我正在使用 IdentityServer4(4.0.4),但是它不返回 access_token,它总是返回:"error": "invalid_scope"只需添加以下代码和 Nuget 包 IdentityServer4(4.0.4) 和 IdentityServer4.EntityFramework(4.0.4) 即可重现该错误。在请求中添加“范围”没有任何区别。
这是从 Postman 触发的端点:
这是我的配置类:
using IdentityServer4;
using IdentityServer4.Models;
using System.Collections.Generic;
using System.Linq;
namespace WebApplication1
{
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("ApiName", "ApiDisplayName")
};
}
public static List<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile() // <-- usefull
};
}
public static IEnumerable<Client> GetClients()
{
return new[]
{
// for public api
new Client
{
ClientId = "secret_client_id",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"ApiName"
}
}
};
}
}
}
Startup类(class):using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace WebApplication1
{
public class Startup
{
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddOperationalStore(options =>
{
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30; // interval in seconds
})
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddInMemoryIdentityResources(Config.GetIdentityResources());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIdentityServer();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapGet("/", async context =>
{
await context.Response.WriteAsync("Hello World!");
});
});
}
}
}
最佳答案
仔细检查您的客户是否正在查看未在您的 ApiScopes 中配置的范围。配置。在下面的示例中,我的客户端注册正在查看“THIS_IS_AN_INVALID_SCOPE”,但我实际上并没有在 ApiScopes 中定义此范围。 .
public static class Scopes
{
public static IEnumerable<ApiScope> Get()
{
return new[]
{
new ApiScope("ProtectedResource.Scope1", "Access to ProtectedResource.Scope1"),
new ApiScope("ProtectedResource.Scope2", "Access to ProtectedResource.Scope2")
};
}
}
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new List<Client>
{
new Client
{
ClientId = "IntegrationTests",
ClientName = "Example client application using client credentials",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {new Secret("not_the_actual_password".Sha256())},
AllowedScopes = new List<string> {"THIS_IS_AN_INVALID_SCOPE"},
AccessTokenLifetime = 300 //5 Minutes
},
};
}
}
关于.net - IdentityServer4 总是返回 "error": "invalid_scope",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63380747/