eShopOnContainers
eShopOnContainers copied to clipboard
dotnet-architecture
Upgrade identityserver4 to 4.1.1
Upgrade identityserver4 to 4.1.1, update the database context migration file, after my test, normal use.
"Sorry, there was an error : invalid_scope" while trying to authorize a swagger project
Identity Logs (here I take basket but it is the same for the other projects):
[23:43:37 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[23:43:37 ERR] Scope basket not found in store.
[23:43:37 ERR] Request validation failed
Hi @GreenShadeZhang , thank you for submitting this PR.
Did a quick test in local and could see following error for the WebSPA and WebMVC. Could you please check at your end ?
WebSPA
WebMVC
Thank you @HighRobot42 for pointing it out.
Hi @GreenShadeZhang , thank you for submitting this PR.
Did a quick test in local and could see following error for the WebSPA and WebMVC. Could you please check at your end ?
WebSPA
WebMVC
Thank you @HighRobot42 for pointing it out.
identityserver4 mainly uses apiscope so when I initialized the apiscope invalid_scope error disappeared, invalid_request was because the mvc client RequestPkce default value was true, but the mvc redirect login page did not bring the required parameters, when I chose to set it to false, the request was normal, But I'm not sure if the mvc project matches the authentication service, and I may need to modify the mvc project if necessary.
"Sorry, there was an error : invalid_scope" while trying to authorize a swagger project
Identity Logs (here I take basket but it is the same for the other projects):
[23:43:37 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[23:43:37 ERR] Scope basket not found in store.
[23:43:37 ERR] Request validation failed
Thank you @HighRobot42 for pointing it out.
You can use the latest code test
I can't get the authorization within the basket swagger ui with your solution. After login, it does not redirect me to the consent html page. Controllers return 401.
I can't get the authorization within the basket swagger ui with your solution. After login, it does not redirect me to the consent html page. Controllers return 401.
Can you provide specific information? For example, which client id you used for the test, or provide me with a link to sample code for testing.
I have just added to the swagger clients the property RequireConsent = true in the Config.cs The default value for this property in the class Client has switched from true to false with the recent update. Otherwise the solution remains the same as yours and when I try a basket controller i get "www-authenticate: Bearer error="invalid_token"error_description="The audience 'empty' is invalid"
I finally solved it this way:
In basket client config (Config.cs in Identity solution) I have set the three following properties:
RequireConsent = true, IncludeJwtId = false, RequirePkce = false,
Helped by this post from Stackoverflow https://stackoverflow.com/questions/61814688/how-to-add-an-aud-claim-to-access-token
I have updated the basket Startup.cs with the following lines (property TokenValidationParameters)
private void ConfigureAuthService(IServiceCollection services)
{
// prevent from mapping "sub" claim to nameidentifier.
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");
var identityUrl = Configuration.GetValue<string>("IdentityUrl");
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = identityUrl;
options.RequireHttpsMetadata = false;
options.Audience = "basket";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
}
Controllers now return 200 for the basket swagger ui. Let me know what you think about my modifications. The above parameters also have to be updated the same way in the other solutions.
I finally solved it this way:
In basket client config (Config.cs in Identity solution) I have set the three following properties:
RequireConsent = true, IncludeJwtId = false, RequirePkce = false,Helped by this post from Stackoverflow https://stackoverflow.com/questions/61814688/how-to-add-an-aud-claim-to-access-token
I have updated the basket Startup.cs with the following lines (property TokenValidationParameters)
private void ConfigureAuthService(IServiceCollection services) { // prevent from mapping "sub" claim to nameidentifier. JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub"); var identityUrl = Configuration.GetValue<string>("IdentityUrl"); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(options => { options.Authority = identityUrl; options.RequireHttpsMetadata = false; options.Audience = "basket"; options.TokenValidationParameters = new TokenValidationParameters { ValidateAudience = false }; }); }Controllers now return 200 for the basket swagger ui. Let me know what you think about my modifications. The above parameters also have to be updated the same way in the other solutions.
I feel that your configuration can be simplified. The configuration in the demo demo of identityserver4.x is relatively simplified, and you should use the implicit mode to configure swagger. You can refer to the official demo to use.
https://github.com/IdentityServer/IdentityServer4/tree/main/samples/Quickstarts
All right but have you tested your own solution? They have changed some default values in the Client class that you have not taken into account. I m not really sure I understand your point btw.
Identityserver3 and identityserver4 are a bit different, so some projects need to adjust the way of authentication use, I adjusted the normal function of webmvc, for different clients also need to adjust the corresponding adjustment, this needs to be tested and modified for the project. I dealt with the main conflict, the overall project should be able to run, I hope that after testing can merge branches, and then further development, to ensure the integrity of the whole.
IdentityServer4 has been upgraded to Duende IdentityServer 6.2 via PR: https://github.com/dotnet-architecture/eShopOnContainers/pull/2012. This PR can be closed now.
