爲什麼`IdSrv`在WS聯合響應POST時發出`EncryptedTokenDecryptionFailedException`異常以發出/ hrd？

Question

我正在嘗試使用Thinktecture.IdentityServer V. 2來設置聯合身份驗證。

我有一個網站設置爲依賴方，並且該網站設置爲在身份服務器處推遲認證至/issue/hrd。這似乎按預期工作。

此外，我通過IdSrv管理頁面向身份服務器添加了身份提供程序（ADFS）。身份提供商被配置爲與

• 標識符
• 顯示名稱
• 家庭領域發現啓用
• WSStar被選擇作爲類型
• WS聯盟端點其已啓用填入
• 發行人指紋填寫

身份提供程序配置爲信任我的身份服務器。

當網站（RP）需要身份驗證時，它會重定向到身份服務器，該身份服務器會進一步重定向到身份提供程序，並且我會獲得身份提供程序的登錄屏幕並且能夠登錄，但HTTP POST會返回到/issue/hrd身份服務器失敗，但出現以下例外情況：

ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key. 
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key. 

Source Error: 


An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

Stack Trace: 



[EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.] 
    System.IdentityModel.Tokens.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials) +1042914 
    System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader) +422 
    System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader) +71 
    System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +114 
    System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +356 

[SecurityTokenException: ID1044: An encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info: 
No Certificate Configured] 
    System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +1218 
    Thinktecture.IdentityServer.Protocols.WSFederation.HrdController.ProcessWSFedResponse() +218 
    lambda_method(Closure , ControllerBase , Object[]) +79 
    System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +261 
    System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +39 
    System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +34 
    System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +124 
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035 
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035 
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035 
    System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035 
    System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +15 
    System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +33 
    System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +839620 
    System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +28 
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15 
    System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +65 
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15 
    System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +51 
    System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +42 
    System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15 
    System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +51 
    System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606 
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288 



-------------------------------------------------------------------------------- 

Answer 1

這看起來像您爲令牌加密配置了外部IdP。

我們現在不做令牌解密。如果這對你很重要 - 在github上打開一個問題。

Answer 2

可能是你忘了設置在microsoft.identityModel /服務配置部分客戶端您證書decript的encripted餅乾：

<serviceCertificate> 
      <certificateReference 
         findValue="{Thumbprint}" 
        storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/> 
     </serviceCertificate>