OpenID Connect服務器與ASOS，.NET核心管道

Question

我已經開始使用ASOS與OpenID Connect服務器一起玩，通過實施資源所有者密碼憑證授予。但是，當我使用郵遞員測試它時，我得到了通用500內部服務器錯誤。

這是我的代碼，爲您的調試樂趣。感謝您的反饋。

感謝

-Biruk

這裏是我的Startup.cs

public void ConfigureServices(IServiceCollection services) 
    { 
     // Add framework services. 

     services.AddAuthentication(options => { 
      options.SignInScheme = "ServerCookie"; 
     }); 


     services.AddApplicationInsightsTelemetry(Configuration); 

     services.AddMvc(); 

     services.AddSession(options => { 
      options.IdleTimeout = TimeSpan.FromMinutes(30); 
     }); 
    } 




    public void Configure(IApplicationBuilder app, IHostingEnvironment env, LoggerFactory loggerFactory) 
    { 

     app.UseOAuthValidation(); 


     app.UseOpenIdConnectServer(options => { 
      // Create your own authorization provider by subclassing 
      // the OpenIdConnectServerProvider base class. 
      options.Provider = new AuthorizationProvider(); 

      // Enable the authorization and token endpoints. 
      // options.AuthorizationEndpointPath = "/connect/authorize"; 
      options.TokenEndpointPath = "/connect/token"; 

      // During development, you can set AllowInsecureHttp 
      // to true to disable the HTTPS requirement. 
      options.ApplicationCanDisplayErrors = true; 
      options.AllowInsecureHttp = true; 

      // Note: uncomment this line to issue JWT tokens. 
      // options.AccessTokenHandler = new JwtSecurityTokenHandler(); 
     }); 

     loggerFactory.AddConsole(Configuration.GetSection("Logging")); 
     loggerFactory.AddDebug(); 

     app.UseApplicationInsightsRequestTelemetry(); 

     app.UseApplicationInsightsExceptionTelemetry(); 

     app.UseMvc(); 
    } 

，這裏是我的

public sealed class AuthorizationProvider : OpenIdConnectServerProvider 
{ 
    public Task<User> GetUser() 
    { 

     return Task.Run(()=> new User { UserName = "biruk60", Password = "adminUser123" }); 
    } 
    // Implement OnValidateAuthorizationRequest to support interactive flows (code/implicit/hybrid). 
    public override Task ValidateTokenRequest(ValidateTokenRequestContext context) 
    { 
     // Reject the token request that don't use grant_type=password or grant_type=refresh_token. 
     if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) 
     { 
      context.Reject(
       error: OpenIdConnectConstants.Errors.UnsupportedGrantType, 
       description: "Only resource owner password credentials and refresh token " + 
          "are accepted by this authorization server"); 

      return Task.FromResult(0); 
     } 

     // Since there's only one application and since it's a public client 
     // (i.e a client that cannot keep its credentials private), call Skip() 
     // to inform the server the request should be accepted without 
     // enforcing client authentication. 
     context.Skip(); 

     return Task.FromResult(0); 
    } 



    public override async Task HandleTokenRequest(HandleTokenRequestContext context) 
    { 
     //// Resolve ASP.NET Core Identity's user manager from the DI container. 
     //var manager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>(); 

     // Only handle grant_type=password requests and let ASOS 
     // process grant_type=refresh_token requests automatically. 
     if (context.Request.IsPasswordGrantType()) 
     { 
      // var user = await manager.FindByNameAsync(context.Request.Username); 

      var user = await GetUser();//new { userName = "briuk60@gmail.com", password = "adminUser123" }; 
      if (user == null) 
      { 
       context.Reject(
        error: OpenIdConnectConstants.Errors.InvalidGrant, 
        description: "Invalid credentials."); 

       return; 
      } 

      if (user != null && (user.Password == context.Request.Password)) 
      { 




       var identity = new ClaimsIdentity(context.Options.AuthenticationScheme); 

       // Note: the name identifier is always included in both identity and 
       // access tokens, even if an explicit destination is not specified. 
       // identity.AddClaim(ClaimTypes.NameIdentifier, await manager.GetUserId(user)); 

       // When adding custom claims, you MUST specify one or more destinations. 
       // Read "part 7" for more information about custom claims and scopes. 
       identity.AddClaim("username", "biruk60", 
        OpenIdConnectConstants.Destinations.AccessToken, 
        OpenIdConnectConstants.Destinations.IdentityToken); 

       // Create a new authentication ticket holding the user identity. 
       var ticket = new AuthenticationTicket(
        new ClaimsPrincipal(identity), 
        new AuthenticationProperties(), 
        context.Options.AuthenticationScheme); 

       // Set the list of scopes granted to the client application. 
       ticket.SetScopes(
        /* openid: */ OpenIdConnectConstants.Scopes.OpenId, 
        /* email: */ OpenIdConnectConstants.Scopes.Email, 
        /* profile: */ OpenIdConnectConstants.Scopes.Profile); 

       // Set the resource servers the access token should be issued for. 
       // ticket.SetResources("resource_server"); 

       context.Validate(ticket); 
      } 
     } 
    } 


} 

我在做什麼錯。我可以把它放在調試模式下，並通過它沒有任何錯誤，它只是500內部服務器錯誤在小提琴手和郵遞員。

Answer 1

這裏是你可能看到異常：

System.InvalidOperationException：一個唯一的標識符無法找到產生一個「子」要求：一定要加上「ClaimTypes.NameIdentifier」要求。

添加一個ClaimTypes.NameIdentifier索賠，它應該工作。