Question

我们已经在其自己域上的节点上运行了一个vueJs spa。

我们已经在另一个域上设置了一个asp.net核心IdentityServer4应用程序。

我们正在尝试使用授权码PKCE流。

我们看了几篇文章，但大多数文章使用相同域上的隐式流或MVC客户端来进行不同的配置。

这是客户端的配置：

import Oidc from 'oidc-client';

   var mgr = new Oidc.UserManager({
     authority: "https://localhost:44363",
     client_id: 'Code Autho',
     redirect_uri: 'http://localhost:8080',
     response_type:'code',
     scope: 'openid profile email api1',  
})

export default mgr;

这是在IdentityServer配置中设计的客户端：

           new Client
            {
                ClientId = "Code Autho",
                ClientName = "Code With PKCE",
                RedirectUris = {
                    Uri.EscapeUriString("http://localhost:8080")
                },
                PostLogoutRedirectUris = {"http://localhost:8080"},
                RequireClientSecret = false,
                AllowedGrantTypes = GrantTypes.Code,
                RequirePkce = true,
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    "api1"
                },
                AllowOfflineAccess = true,
                RefreshTokenUsage = TokenUsage.ReUse
            }

日志：

2019-06-21 11:41:54.396 +02:00 [INF] Starting IdentityServer4 version 2.4.0.0
2019-06-21 11:41:54.407 +02:00 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2019-06-21 11:41:54.412 +02:00 [INF] Using the default authentication scheme Identity.Application for IdentityServer
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for authentication
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-in
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-out
2019-06-21 11:41:54.412 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for challenge
2019-06-21 11:41:54.413 +02:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for forbid
2019-06-21 11:41:54.757 +02:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:8080
2019-06-21 11:41:54.760 +02:00 [DBG] Client list checked and origin: http://localhost:8080 is allowed
2019-06-21 11:41:54.760 +02:00 [DBG] CorsPolicyService allowed origin: http://localhost:8080
2019-06-21 11:41:54.776 +02:00 [DBG] Login Url: /Account/Login
2019-06-21 11:41:54.776 +02:00 [DBG] Login Return Url Parameter: ReturnUrl
2019-06-21 11:41:54.777 +02:00 [DBG] Logout Url: /Account/Logout
2019-06-21 11:41:54.777 +02:00 [DBG] ConsentUrl Url: /consent
2019-06-21 11:41:54.777 +02:00 [DBG] Consent Return Url Parameter: returnUrl
2019-06-21 11:41:54.777 +02:00 [DBG] Error Url: /home/error
2019-06-21 11:41:54.777 +02:00 [DBG] Error Id Parameter: errorId
2019-06-21 11:41:54.799 +02:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2019-06-21 11:41:54.805 +02:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2019-06-21 11:41:54.805 +02:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2019-06-21 11:41:54.807 +02:00 [DBG] Start discovery request
2019-06-21 11:41:54.975 +02:00 [DBG] Request path /connect/authorize matched to endpoint type Authorize
2019-06-21 11:41:54.988 +02:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
2019-06-21 11:41:54.989 +02:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
2019-06-21 11:41:54.997 +02:00 [DBG] Start authorize request
2019-06-21 11:41:55.010 +02:00 [DBG] No user present in authorize request
2019-06-21 11:41:55.013 +02:00 [DBG] Start authorize request protocol validation
2019-06-21 11:41:55.033 +02:00 [DBG] client configuration validation for client Code Autho succeeded.
2019-06-21 11:41:55.044 +02:00 [DBG] Checking for PKCE parameters
2019-06-21 11:41:55.078 +02:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-06-21 11:41:55.094 +02:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"Code Autho","ClientName":"code autho Klanik Code With PKCE","RedirectUri":"http://localhost:8080","AllowedRedirectUris":["http://localhost:8080"],"SubjectId":"anonymous","ResponseType":"code","ResponseMode":"query","GrantType":"authorization_code","RequestedScopes":"openid profile email api1","State":"a53f2786c13d460fa5271652c9871234","UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"Code Autho","redirect_uri":"http://localhost:8080","response_type":"code","scope":"openid profile email api1","state":"a53f2786c13d460fa5271652c9871234","code_challenge":"ih1wDabwyipUIsHxQcdi6tCyhOy9pzYyLyWn3A6R_Kw","code_challenge_method":"S256"},"$type":"AuthorizeRequestValidationLog"}
2019-06-21 11:41:55.103 +02:00 [INF] Showing login: User is not authenticated

预期：我们将重定向到http://localhost:8080，并且用户已通过身份验证。（我们在localhost：8080上确实有一个登录组件，需要用户名/密码）。

Answer 1

您错过了要点：带有PKCE的代码是所谓的交互式流程之一，在该流程中，用户代理被重定向到身份提供者登录屏幕以输入凭据。因此，您仍然必须在Identityserver主机上显示登录屏幕。

PKCE的授权流程：“显示登录：用户未通过身份验证”

1 个答案: