1. 技术文章
  2. Thinktecture Identity server v3 Google provider

Thinktecture Identity server v3 Google provider

心已入冬 提交于 2019-12-06 23:28:53

问题


I am getting issue while integration external provider i.e Google with Thinktecture identity server v3 .I am getting following error: "The client application is not known or is not authorized." Do any one have any idea about this error.


回答1:


@Whoever, it looks like you have a mismatch on the RedirectUri values in the client and server.

The RedirectUri property in the client startup defines the URI that will be called called after authentication by the identity server. The RedirectUris in the server config defines the listed of allowed URIs that can request authentication. The client startup RedirectUri must therefore be included in the server's RedirectUris list.

Looks like your client's RedirectUri is currently pointing at the server's URI. Is your client running on port 46289? If so, try changing the value of RedirectUri property in the client startup to https://localhost:46289. You might also want to try modifying the server's redirectUris value to use https rather than http, assuming that your client really is accessible over https.

Server client store:

public static IEnumerable<Client> Get() 
{
    return new[] {
         new Client {
             Enabled = true,
             ClientName = "MVC Client",
             ClientId = "mvc",
             Flow = Flows.Implicit,

             RedirectUris = new List<string>{
                 "https://localhost:46289/"  // client home url

Client startup:

public void Configuration(IAppBuilder app)
{
    ConfigureAuth(app);
    app.UseCookieAuthentication(new CookieAuthenticationOptions {
        AuthenticationType = "Cookies"        
    });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions {
            Authority = "https://localhost:44300/identity",
            ClientId = "mvc",
            RedirectUri = "https://localhost:46289/", //must be in server's Client.RedirectUris
            ResponseType = "id_token",

            SignInAsAuthenticationType = "Cookies"
    });



回答2:


I had this problem. The RedirectUris entry in the servers almost matched the RedirectUri in the client Startup.Configuration; all but for the trailing slash.

https://localhost:46289/

is not the same as

https://localhost:46289

When I added the slash, my login page appeared.




回答3:


I've been working through the same issue but just authenticating against Identity Server (Google is next to tackle on my list). I saw the issue because the Scopes for the client weren't setup on both the Mvc and Server. To resolve the issue I added the Scopes into the Startup class (of the Mvc client) as follows:

    public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = "https://localhost:44301",
            Scope = "openid profile email roles",
            ClientId = "mvc",
            RedirectUri = "https://localhost:44300/",
            ResponseType = "id_token",

            SignInAsAuthenticationType = "Cookies"
        });

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });
    }
}

..and also in the server's list of clients:

    public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new[]
        {
            new Client
            {
                Enabled = true,
                ClientName = "MVC Client",
                ClientId = "mvc",
                Flow = Flows.Implicit,
                RequireConsent = true,
                RedirectUris = new List<string>
                {
                    "https://localhost:44300/"
                },
                PostLogoutRedirectUris = new List<string>
                {
                    "https://localhost:44300/"
                },
                AllowedScopes = new List<string> {
                    Constants.StandardScopes.OpenId,
                    Constants.StandardScopes.Profile,
                    Constants.StandardScopes.Email,
                    Constants.StandardScopes.Roles
                }
            }
        };
    }
}

In relation to the OP's question with Google, it may be worth checking your scopes correlate with those supported by your app setup within the Google Developer Console too. There's a good SO post on supported scopes at Where can I find a list of scopes for Google's OAuth 2.0 API?

Hope that helps :)




回答4:


Looks like client(application in which you want to have a possibility to log in with Google) is not registered in the client store. Could you, please, show your Startup Configuration?




回答5:


In my case, I was not careful and was changing the values in Startup.cs under UseOpenIdConnectAuthentication (which are what the integrated web application uses to connect to itself) when I should have been changing the values in Clients.Get(), which are the allowed clients that the server has configured.

Once I fixed those, I was able to separate client and server into two applications with only some NuGet packages and UseCookieAuthentication/UseOpenIdConnectAuthentication in the client application.

You can get the error if the client is not enabled, redirect uri does not match one in the list (uses non case-sensitive exact match), if the scopes requested are not in the allowed scope list, if the flow requested does not match what is allowed (you can only have one per client) and/or if the client ids do not match.



来源:https://stackoverflow.com/questions/28396906/thinktecture-identity-server-v3-google-provider

标签
thinktecture-ident-server
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!