发表新帖
发表新帖

The audience is invalid error

前端 未结
关注
2 596
半阙折子戏
半阙折子戏 2021-02-05 08:09

I have 3 projects 1- Javascript SPA 2- Web API Project, 3- IdentityServer with EF Core

I started debugging API and Identity Server and successfully get the jwt token but

2条回答
  • 情歌与酒
    情歌与酒 (楼主)
    2021-02-05 08:35

    To avoid the error, audience should be consistently added in 4 places

    1.In My (e.g. MVC) client as custom Scope.
    2. In API application as ApiName
    3.In IdentityServer Clients configuration as AllowedScope
    4.In API Resourcesconfiguration as ApiResource

    See details ( previously available in IdentityServer4 wiki):

    When configuring a new API connection in identityServer4, you can get an error:

    WWW-Authenticate: Bearer error="invalid_token", 
error_description="The audience is invalid"

    To avoid the error, Audience should be consistently added in 4 places

    1.In My (e.g. MVC) client as custom Scope :

    app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
    Authority = Configuration["IdpAuthorityAddress"],
    ClientId = "my_web_ui_id",
  Scope = { "openid", "profile", "offline_access", "MyApi" },               

//other properties removed for brevity...
});

    2.In API application as ApiName

      var identityServerAuthenticationOptions = new IdentityServerAuthenticationOptions()//Microsoft.AspNetCore.Builder.IdentityServerAuthenticationOptions
        {
            Authority = Configuration["Authentication:IdentityServer:Authority"],
            RequireHttpsMetadata = false,

            EnableCaching = false,

            ApiName = "MyApi",
            ApiSecret = "MyApiSecret"
        };

    1. In IdentityServer \IdentityServerHost\Configuration\Clients.cs (or corresponding Clients entry in the database) 

      var client = new Client
{
    ClientId = clientId,  
    //other properties removed for brevity...   
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        //IdentityServerConstants.StandardScopes.Email,
        IdentityServerConstants.StandardScopes.OfflineAccess,
        "MyApi",
      },
};

    4.In IdentityServer \IdentityServerHost\Configuration\Resources.cs (or corresponding ApiResource entry in the database) as apiResource.Scopes

     var apiResource = new ApiResource
        {
            Name = "MyApi",
            ApiSecrets =
            { 
                new Secret("MyApiSecret".Sha256())
            },
            UserClaims =
            {
                JwtClaimTypes.Name,
                JwtClaimTypes.Profile,

            },
        };

    0 讨论(0)
 看不清?
提交回复
热议问题