1. 技术文章
  2. ASOS - Token validation is not working when having separate authorization server and the resource server

ASOS - Token validation is not working when having separate authorization server and the resource server

时光总嘲笑我的痴心妄想 提交于 2021-02-10 06:24:15

问题


I'm trying to impement the OpenID Connect server (resource owner password credentials grant) with ASOS by this post. Everything works fine when I have both Authorization server and resource server in one app. But when I split them on two apps (but on one machine) resource server fails to validate token and returns The access token is not valid.

I downloaded the source code of AspNet.Security.OAuth.Validation to investigate the issue and it returns null here

Here are some logs from Authorization Server:


    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
          Request starting HTTP/1.1 POST http://localhost:5000/connect/token application/x-www-form-urlencoded; charset=UTF-8 77
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token request was successfully extracted from the HTTP request: {
            "grant_type": "password",
            "username": "UserLogin",
            "password": "[removed for security reasons]",
            "scope": "offline_access"
          }.
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token request was successfully validated.
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A sign-in operation was triggered: sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]].
    dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
          Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
          Found key {********-****-****-****-64bb57db1c3b}.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
          Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
    dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
          Decrypting secret element using Windows DPAPI.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
          Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
          Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
          Using key {********-****-****-****-64bb57db1c3b} as the default key.
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
          Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A new access token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtG4usEbfF-mLGaJcGGFEPQJLb36rfHqCTJ3Clu_SCBRHlaZ_B7s3pxNfUqS9fPfjtjjEH1KKmkiV6gvakRYf0Iof32BVddUUPgd7sEDrB0fET91pIDJT9WwsPx653viw5tFyvrztsSD5CYAOQZjm1werRcVPuvwRhXUQb_9Vbba52tqj8y7WbOjk78Hl17knbwSz4C70vwlRU5pL_Bp41R4vEEKwtm_VMQ_u1kSBKM5KjOh6OKdbDJ9jOhyh4RpNbvGN25ZskzByi8ndKRW3dmajWYyf-0cj6-4MEE5Hocd47te8C-haYIxEUb7tcQ-JTItknIiE1sk6W7zHlhLg3nprE2Ct4mvKi11G7Kvd1W4u-UmEvL1NesjVFNKpNJVdEaK2I8mcNzJLU69ZnM4poRrLqEqD__cHa8nCFgPtE9L0Jyo6IyFwc7NZ2sXz7y7lPfJ9Q3Pu1W_t0lOGBte5uKHfJZpiOYaqKrAwdJSpULLK52iKoCNhRYxOSdq__DNJs ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 30 Jun 2017 10:13:29 GMT], [.token_id, e27cbb46-d1ea-4576-8803-dddc001b3fc8], [.audiences, ["resource_server"]].
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[31]
          Performing protect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.OpenIdConnectServer', 'OpenIdConnectServerHandler', 'RefreshTokenFormat', 'ASOS').
    trce: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          A new refresh token was successfully generated using the specified data format: CfDJ8NSKICBGwihOm75ku1fbHDtcKlYz_IbJiNmiW_tfu19E7p5BIO9xE0b2qu8mYWw-zD7wCWB1F5Fx548L4FARrsJwlJls1AkK2GrqXjV0krH6me_btsSAxM9trrFCUL2ZrXkm2sStZ6DUcbf_cSNFh-YxXft-gbLGV11THAINTb8K9-v_fkeXq7aN8Qgu7zJfhON1ehflLwZ-DXZwW_S9assqx8f7oe-n5gTzOO6PjEyO5g0YMJ1SY7X-sMO1MKjn03vZxPB0ecT0l8NXB89vGhW7kZnoEaL1NwmSTiEOYMatwrkURPBgb2YLnpiu7sYAD04HxsicoLaQTDbc8ZJyWUJ7guLl6Mp2HLhZG_wLQM9REC_QeZX8eDn8aqSOiGKZeLF4G7A5y369VIZ0RPASdTpEsAHSE8ws0RB18jap-75bM_aAi3w3-PlfnY7ySnDYm3xkF1ImyBcph2XF6R8-imdAXhQG-tTAYd2FKw4msaWCPcnX5CxYlo-alVYpd878haDvo43fCvbd2_Dc2O1wI98 ; sub: 123, username: UserLogin ; [.scopes, ["email","profile","offline_access"]], [.resources, ["resource_server"]], [.issued, Fri, 30 Jun 2017 09:13:29 GMT], [.expires, Fri, 14 Jul 2017 09:13:29 GMT], [.token_id, c0cf40ad-cd47-4c82-9e37-6943cda95ffc].
    info: AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware[0]
          The token response was successfully returned: {
            "resource": "resource_server",
            "scope": "email profile offline_access",
            "token_type": "Bearer",
            "access_token": "[removed for security reasons]",
            "expires_in": 3600,
            "refresh_token": "[removed for security reasons]"
          }.

Here are some logs from Resource Server:


    info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
          Request starting HTTP/1.1 GET http://localhost:5001/api/values
    trce: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector[5]
          Performing unprotect operation to key {********-****-****-****-64bb57db1c3b} with purposes ('C:\Users\User1\documents\visual studio 2017\Projects\OpenIdDictSample\Aka.WebApi', 'OpenIdConnectServerHandler', 'AccessTokenFormat', 'ASOS').
    dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
          Reading data from file 'C:\Users\User1\AppData\Local\ASP.NET\DataProtection-Keys\key-********-****-****-****-64bb57db1c3b.xml'.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
          Found key {********-****-****-****-64bb57db1c3b}.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
          Considering key {********-****-****-****-64bb57db1c3b} with expiration date 2017-09-27 16:44:49Z as default key.
    dbug: Microsoft.AspNetCore.DataProtection.XmlEncryption.DpapiXmlDecryptor[51]
          Decrypting secret element using Windows DPAPI.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[4]
          Opening CNG algorithm 'AES' from provider '(null)' with chaining mode CBC.
    dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.CngCbcAuthenticatedEncryptorDescriptor[3]
          Opening CNG algorithm 'SHA256' from provider '(null)' with HMAC.
    dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
          Using key {********-****-****-****-64bb57db1c3b} as the default key.
    info: AspNet.Security.OAuth.Validation.OAuthValidationMiddleware[7]
          Bearer was not authenticated. Failure message: Authentication failed because the access token was invalid.

1) What is wrong with my resource server?

2) How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?


回答1:


How to configure the resource server on different machine (especially token signing/checking and encryption/decryption)?

You need to make sure the key ring (containing the master keys that are derived by ASP.NET Core Data Protection to create encryption and validation keys) is correctly synchronized and shared by both your authorization server and your resource server(s). The procedure is described here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview.

Here's an example of how it could be done using a shared folder:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
}

You'll also need to configure the two applications to use the same "application discriminator":

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
        .SetApplicationName("Your application name");
}


来源:https://stackoverflow.com/questions/44844139/asos-token-validation-is-not-working-when-having-separate-authorization-server

标签
asp.net-core
oauth-2.0
openid-connect
aspnet-contrib
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!