问题
Given:
IdentityServer v3 JavaSCript Client Asp Core Api Client
The JavaScript client authenticates with the identityserver and makes a request with a bearer token to the api
the api is configured to use ressource owner workflow
Problem: Now I get:
Audiences: 'http://localhost/identity/resources'. Did not match: validationParameters.ValidAudience: 'MyApi' or validationParameters.ValidAudiences: 'null'
Obiviously Audiance doesn't match. what am I missing?
Config
ApiClient in Identity server:
return new Client
{
Enabled = true,
ClientId = "MyApi",
ClientName = "The client for the Groupl Api",
ClientSecrets = new List<Secret>
{
new Secret("foo".Sha256())
},
Flow = Flows.ResourceOwner,
AllowedScopes = ClientConstants.AllowedGrouplScopes()
};
In the api to connect to identity server:
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
var authority = config["identity:authority:url"];
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = authority,
RequireHttpsMetadata = false,
EnableCaching = false,
ApiName = "myApi", //Correct that this is the client id?
ApiSecret = "foo"
});
Here the request (Access_token omitted)
GET /api/values HTTP/1.1
Host: localhost:59364
Content-Type: application/json
Authorization: Bearer {access_token}
Update
when I set LegacyAudienceValidation = true, everything works fine, but i'm not sure how to handle this correctly?
回答1:
Reason is that authentication behavior changed. IdentityServer 3 didn't support multiple audiences. Identityserver 4 does. So for the old handling LegacyAudienceValidation has to be set to true
来源:https://stackoverflow.com/questions/42670034/net-core-client-doesnt-authenticate-with-identityserver-v3-offset-in-audienc