添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
会搭讪的皮蛋  ·  刘晓明大使夫妇举行庆祝建国65周年侨学界招待 ...·  1 月前    · 
聪明伶俐的青蛙  ·  一对多映射 - Nutz·  2 月前    · 
文雅的移动电源  ·  不止间谍卫星!美军空天飞机8年前曾抵近侦察俄 ...·  2 月前    · 
睡不着的豌豆  ·  南洋理工大学刘政教授来实验室进行学术交流与访问·  3 月前    · 
小胡子的火锅  ·  《DL/T 5746-2017 ...·  8 月前    · 
link管理  ›  Audience validation failed · Issue #1551 · IdentityServer/IdentityServer4 · GitHub
https://github.com/IdentityServer/IdentityServer4/issues/1551
爱热闹的充电器
5 月前

Thank you for you library.

I use 

<PackageReference Include="IdentityServer4" Version="2.0.0-rc1-update1" />
<PackageReference Include="IdentityServer4.AccessTokenValidation" Version="2.0.0-rc1" />

ApiResources


public IEnumerable<ApiResource> GetApiResources()
    return new List<ApiResource>
        new ApiResource("core_logic_facade", "CoreLogicFacade",
            new List<string> { "role" })
            ApiSecrets = { new Secret("apisecret".Sha256()) }

In API config


services
    .AddAuthentication(o =>
        o.DefaultChallengeScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
        o.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
    .AddIdentityServerAuthentication(options =>
        options.Authority = CommonConfiguration.IdentityServerUri;
        options.RequireHttpsMetadata = false;
        options.SaveToken = true;
        options.ApiSecret = "apisecret";
        options.ApiName = "core_logic_facade";

I get error


Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler:Information: Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6IkVCQzQ1MEFDNjlCQzg4NDhGOTc2MjMyQzMxRkY2NEFFQUE4MzM4RDMiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI2OFJRckdtOGlFajVkaU1zTWY5a3JxcURPTk0ifQ.eyJuYmYiOjE1MDYwNzg2NjUsImV4cCI6MTUwNjE2ODY2NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDoxMjQwNiIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTI0MDYvcmVzb3VyY2VzIiwiY2xpZW50X2lkIjoid3BmLndlYnZpZXcuY2xpZW50Iiwic3ViIjoiNTliZmI5NTBmMDA0ZGRjNDE3YmVjMTRlIiwiYXV0aF90aW1lIjoxNTA2MDc4NjY1LCJpZHAiOiJsb2NhbCIsImdpdmVuX25hbWUiOiJBbGljZSIsImZhbWlseV9uYW1lIjoiU21pdGgiLCJtaWRkbGVfbmFtZSI6IiIsImVtYWlsIjoiQWxpY2VTbWl0aEBlbWFpbC5jb20iLCJyb2xlIjpbItCQ0LTQvNC40L3QuNGB0YLRgNCw0YLQvtGAIiwi0JLRgdC1INCw0LLRgtC-0YDQuNC30L7QstCw0L3QvdGL0LUg0L_QvtC70YzQt9C-0LLQsNGC0LXQu9C4Il0sInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsInJvbGVzIl0sImFtciI6WyJwd2QiXX0.aztrxs9mFiNXMDDqeMegvlRN5UbmdKmu-w2DuoKx7gw4FEa9iB9LlkeHjzHeqDnrbKpYQ4D47I6WToUUZE-1_vyFy_bDxlyvSOq1g4PNtuOrcG8gppfH3x4pJ3Dcuiz52YObr1DTxYZ-d-jlOZob2rT3SPm2aeHDa4_s6DgEIA6GYy6PBa4eIfEnkACF_b_NeW2v8JAcs-j-erdpUSh79cnRf0-vnIa4pAM5m2BisJR5WCqIOZAPA8pRua9ggrTWjhietTgiraGQEBN-HlQ-9HOk3BfERqm45ENqG9npYsEszAwoyU6SwQhVzwtYRQ82fN-lgnW7Jin9CNj0SjOISaIbG3ZW8-i2oXiwmkQiRTCT8uNyOhPCKsDNr6Tvr2ZTzMzPrlFvKimhyWwMm_NFDcZdb4W2qDB6LDIgyTni3QQtFyfwbVOCwP-i9v3MpydIEYw4PzJhPZgS7-1jDSBIPkzuwUOgihyoxhT4f9cOq8eplR6Q2nJuHc7bHW_QTDwgKPaiq74ws9dV8SUVpYogvwhY5xste5uHQ4WcseXzzg5zmwUqmTKuU1ZhGBnov35-ydUfDTpz9KUntZOrwRptSNx7IPUCW4dVrkMu_YQHRjB0h8YKmEwJk8tLkFEcldYgG2PyocvT5ew26hXenhthlq-jlSYc3XgO3hdwm3Qjg.


Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'http://localhost:12406/resources'. Did not match: validationParameters.ValidAudience: 'core_logic_facade' or validationParameters.ValidAudiences: 'null'.

                   ClientName = "Designer",
                   ClientId = "wpf.webview.client",
                   AllowedGrantTypes = GrantTypes.Implicit,
                   AllowAccessTokensViaBrowser = true,
                   AllowedScopes = new List<string>
                       IdentityServerConstants.StandardScopes.OpenId,
                       IdentityServerConstants.StandardScopes.Profile,
                       IdentityServerConstants.StandardScopes.Email,
                       "roles",
                       "core_logic_facade",
                       "script_service"
                   RequireConsent = false,
                   AllowRememberConsent = true,
                   PostLogoutRedirectUris = new List<string>
                       "oob://localhost/wpf.webview.client/logout",
                   RedirectUris = new List<string>
                       "oob://localhost/wpf.webview.client",
                   AccessTokenLifetime = 90000

My login uri

http://localhost:12406/connect/authorize?client_id=wpf.webview.client&response_type=id_token+token&scope=openid+profile+email+roles&redirect_uri=oob%3A%2F%2Flocalhost%2Fwpf.webview.client&state=random_state&nonce=random_nonce&response_mode=form_post


But I do not understand where Identity server put this aud http://localhost:12406/resources

          
But when I change to

http://localhost:12406/connect/authorize?client_id=wpf.webview.client&response_type=id_token+token&scope=openid+profile+email+roles+core_logic_facade&redirect_uri=oob%3A%2F%2Flocalhost%2Fwpf.webview.client&state=random_state&nonce=random_nonce&response_mode=form_post


I get error

          
IdentityServer4.Validation.ScopeValidator:Error: Invalid scope: core_logic_facade
IdentityServer4.Endpoints.AuthorizeEndpoint:Error: Request validation failed
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Dev.Message","time":"2017-09-22T13:04:51.6746950Z","tags":{"ai.operation.name":"GET /connect/authorize","ai.cloud.roleInstance":"work","ai.operation.id":"21127749-47a2f9a9fd55acd9","ai.internal.nodeName":"work","ai.location.ip":"127.0.0.1","ai.operation.parentId":"|21127749-47a2f9a9fd55acd9.","ai.application.ver":"1.0.0.0","ai.internal.sdkVersion":"aspnet5c:2.1.1"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"Request validation failed","severityLevel":"Error","properties":{"AspNetCoreEnvironment":"Development","{OriginalFormat}":"Request validation failed","CategoryName":"IdentityServer4.Endpoints.AuthorizeEndpoint","DeveloperMode":"true"}}}}
IdentityServer4.Endpoints.AuthorizeEndpoint:Error: Request validation failed
IdentityServer4.Endpoints.AuthorizeEndpoint:Information: {
  "ClientId": "wpf.webview.client",
  "ClientName": "Dashboard Designer",
  "RedirectUri": "oob://localhost/wpf.webview.client",
  "AllowedRedirectUris": [
    "oob://localhost/wpf.webview.client"
  "SubjectId": "anonymous",
  "ResponseType": "id_token token",
  "ResponseMode": "form_post",
  "GrantType": "implicit",
  "RequestedScopes": "openid profile email roles core_logic_facade",
  "State": "random_state",
  "Raw": {
    "client_id": "wpf.webview.client",
    "response_type": "id_token token",
    "scope": "openid profile email roles core_logic_facade",
    "redirect_uri": "oob://localhost/wpf.webview.client",
    "state": "random_state",
    "nonce": "random_nonce",
    "response_mode": "form_post"
Application Insights Telemetry (unconfigured): {"name":"Microsoft.ApplicationInsights.Dev.Message","time":"2017-09-22T13:04:51.7413327Z","tags":{"ai.operation.name":"GET /connect/authorize","ai.cloud.roleInstance":"work","ai.operation.id":"21127749-47a2f9a9fd55acd9","ai.internal.nodeName":"work","ai.location.ip":"127.0.0.1","ai.operation.parentId":"|21127749-47a2f9a9fd55acd9.","ai.application.ver":"1.0.0.0","ai.internal.sdkVersion":"aspnet5c:2.1.1"},"data":{"baseType":"MessageData","baseData":{"ver":2,"message":"{\r\n  \"ClientId\": \"wpf.webview.client\",\r\n  \"ClientName\": \"Dashboard Designer\",\r\n  \"RedirectUri\": \"oob://localhost/wpf.webview.client\",\r\n  \"AllowedRedirectUris\": [\r\n    \"oob://localhost/wpf.webview.client\"\r\n  ],\r\n  \"SubjectId\": \"anonymous\",\r\n  \"ResponseType\": \"id_token token\",\r\n  \"ResponseMode\": \"form_post\",\r\n  \"GrantType\": \"implicit\",\r\n  \"RequestedScopes\": \"openid profile email roles core_logic_facade\",\r\n  \"State\": \"random_state\",\r\n  \"Raw\": {\r\n    \"client_id\": \"wpf.webview.client\",\r\n    \"response_type\": \"id_token token\",\r\n    \"scope\": \"openid profile email roles core_logic_facade\",\r\n    \"redirect_uri\": \"oob://localhost/wpf.webview.client\",\r\n    \"state\": \"random_state\",\r\n    \"nonce\": \"random_nonce\",\r\n    \"response_mode\": \"form_post\"\r\n  }\r\n}","severityLevel":"Information","properties":{"validationDetails":"{\r\n  \"ClientId\": \"wpf.webview.client\",\r\n  \"ClientName\": \"Dashboard Designer\",\r\n  \"RedirectUri\": \"oob://localhost/wpf.webview.client\",\r\n  \"AllowedRedirectUris\": [\r\n    \"oob://localhost/wpf.webview.client\"\r\n  ],\r\n  \"SubjectId\": \"anonymous\",\r\n  \"ResponseType\": \"id_token token\",\r\n  \"ResponseMode\": \"form_post\",\r\n  \"GrantType\": \"implicit\",\r\n  \"RequestedScopes\": \"openid profile email roles core_logic_facade\",\r\n  \"State\": \"random_state\",\r\n  \"Raw\": {\r\n    \"client_id\": \"wpf.webview.client\",\r\n    \"response_type\": \"id_token token\",\r\n    \"scope\": \"openid profile email roles core_logic_facade\",\r\n    \"redirect_uri\": \"oob://localhost/wpf.webview.client\",\r\n    \"state\": \"random_state\",\r\n    \"nonce\": \"random_nonce\",\r\n    \"response_mode\": \"form_post\"\r\n  }\r\n}","AspNetCoreEnvironment":"Development","{OriginalFormat}":"{validationDetails}","CategoryName":"IdentityServer4.Endpoints.AuthorizeEndpoint","DeveloperMode":"true"}}}}
IdentityServer4.Endpoints.AuthorizeEndpoint:Information: {
  "ClientId": "wpf.webview.client",
  "ClientName": "Dashboard Designer",
  "RedirectUri": "oob://localhost/wpf.webview.client",
  "AllowedRedirectUris": [
    "oob://localhost/wpf.webview.client"
  "SubjectId": "anonymous",
  "ResponseType": "id_token token",
  "ResponseMode": "form_post",
  "GrantType": "implicit",
  "RequestedScopes": "openid profile email roles core_logic_facade",
  "State": "random_state",
  "Raw": {
    "client_id": "wpf.webview.client",
    "response_type": "id_token token",
    "scope": "openid profile email roles core_logic_facade",
    "redirect_uri": "oob://localhost/wpf.webview.client",
    "state": "random_state",
    "nonce": "random_nonce",
    "response_mode": "form_post"
          
@leastprivilege @brockallen,


I have a similiar issue, but I'm working on a multi-tenant app, here's my config:


services.AddIdentityServerAuthentication(o =>
  o.Authority = Consts.MainUrl;
  o.ApiName = Consts.ApiScope; //"api"
  o.ApiSecret = Consts.UnoClientSecret;
  o.EnableCaching = true;
  o.SupportedTokens = SupportedTokens.Jwt;        
  o.RequireHttpsMetadata = true;        
});


The access token contains the following data (used jwt.io):

  "nbf": 1564067106,
  "exp": 1564070706,
  "iss": "https://test.mysite.com",
  "aud": "https://test.mysite.com/resources",
  "client_id": "83ecbcd0-2ae9-4dfd-995f-87c1b7cdf933",
  "sub": "1",
  "auth_time": 1564067106,
  "idp": "local",
  "scope": [
    "openid",
    "profile",
    "offline_access"
  "amr": [
    "pwd"

When I try to access a protected resource under the api route with an attached token, I get the following exception:


Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://test.mysite.com/resources'. Did not match: validationParameters.ValidAudience: 'api' or validationParameters.ValidAudiences: 'null'.


The problem is that I can't provide the full Url, because it's dynamic, subdomains are per-tenant.
 
推荐文章
会搭讪的皮蛋  ·  刘晓明大使夫妇举行庆祝建国65周年侨学界招待会_中华人民共和国驻大不列颠和北爱尔兰联合王国
1 月前
聪明伶俐的青蛙  ·  一对多映射 - Nutz
2 月前
文雅的移动电源  ·  不止间谍卫星!美军空天飞机8年前曾抵近侦察俄军航天器_手机新浪网
2 月前
睡不着的豌豆  ·  南洋理工大学刘政教授来实验室进行学术交流与访问
3 月前
小胡子的火锅  ·  《DL/T 5746-2017 火力发电厂烟囱(烟道)防腐蚀工程施工质量验收规范》_规范图集 - 搜索兔
8 月前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台