问题
I have set up a simple identity server on my development environment, configured as so:
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Verbose()
.WriteTo.Trace()
.CreateLogger();
app.Map("/identity", id =>
{
id.UseIdentityServer(new IdentityServerOptions()
{
SiteName = "Tomas Services Identity Provider",
SigningCertificate = CertificateService.Load(),
Factory = IdentityFactory.Configure("IdServerConn"),
RequireSsl = false
});
});
}
The factory sets up as per the entity framework sample provided by the nice people that wrote the server code.
I then have a client web api site set up to use bearer authentication like so:
private const string IdentityServerUrl = "http://localhost/mysite/identity";
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.Trace()
.CreateLogger();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions()
{
Authority = IdentityServerUrl,
RequiredScopes = new[] { "my_scope" }
});
var config = new HttpConfiguration();
WebApiConfig.Register(config);
app.UseNinjectMiddleware(NinjectWebCommon.CreateKernel).UseNinjectWebApi(config);
}
I am then testing this using fiddler, retrieving an access token and then adding that to the appropriate header in my web api POST.
Now, this was working using IIS express and running under https. I want to change this (for development) to run without SSL. The only changes that have been made were to set RequiresSSL to false in the IDP config and change the URL of the authority in the client. The client is now also running under http rather than under SSL.
I am now consistently getting 401 - unauthorised responses when posting to the web API. I can retrieve an access token without issue, but I am unable to see why my web API site is not authenticating me.
I have logging set up on the identity server site, and I can see calls through to get my access token no problem, but the only further logging I see when I call through the web API is a one off:
w3wp.exe Information: 0 : 2016-10-17 15:09:58.459 +01:00 [Information] Start discovery request 2016-10-17 15:09:58.460 +01:00 [Debug] Cache miss: CachingScopeStore.allscopes.public w3wp.exe Information: 0 : 2016-10-17 15:09:58.549 +01:00 [Information] Start key discovery request
Is there any way of getting further logging (for debug purposes) from the UseIdentityServerBearerTokenAuthentication OWIN middleware? I am at loss here as to why I am not able to connect, particularly as this was working under IIS express (albiet under SSL).
For posterity, the error I was getting on enabling logging as per @leastprivilege below was:
Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Error: 0 : Authentication failed System.TypeLoadException: Could not load type 'IdentityModel.Extensions.HashStringExtensions' from assembly 'IdentityModel, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null'. at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.d__1.MoveNext() at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine) at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider.ReceiveAsync(AuthenticationTokenReceiveContext context) at Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationHandler.d__0.MoveNext()
Please see answer below for details.
回答1:
The docs show how to enable logging for token validation (in API project)
https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html
回答2:
And so, having figured out the actual error, this is entirely my fault. Despite reading the very clear documentation and examples, I had referenced the wrong 'IdentityModel' nuget package for my solution.
As I am using 'older' .net, I should not have used IdentityModel2 (i.e. v2.0.0.0 of the IdentiyModel nuget package). Downgrading to v1.13 has solved this issue and my solution is now working as expected.
来源:https://stackoverflow.com/questions/40089138/identity-server-bearer-token-authentication-how-to-trace-failed-authorizatio