配置 ASP.Net Core 以使用 OIDC 对 Thinktecture V2 进行身份验证答案

【问题标题】：Configuring ASP.Net Core to authenticate using OIDC against Thinktecture V2配置 ASP.Net Core 以使用 OIDC 对 Thinktecture V2 进行身份验证
【发布时间】：2017-01-20 05:07:45
【问题描述】：

我正在尝试让 ASP.Net Core 使用 OpenID Connect 对 Thinktecture V2 进行身份验证（我们目前需要 WS-Trust，因此无法升级）。

我的配置如下

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        certStore.Open(OpenFlags.ReadOnly);

        var cert = certStore.Certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false);

        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            RequireHttpsMetadata = false,
            ClientId = _config["OpenID:ClientId"],
            ClientSecret = _config["OpenID:ClientSecret"],
            Authority = _config["OpenID:Authority"],
            ResponseType = OpenIdConnectResponseType.Code,
            PostLogoutRedirectUri = _config["OpenID:PostLogoutRedirectUri"],
            SignInScheme = "Cookies",
            CallbackPath = "/signin-oidc",
            TokenValidationParameters = new TokenValidationParameters()
            {
                IssuerSigningKey = new X509SecurityKey(cert[0]),                                 
            },
            Configuration = new OpenIdConnectConfiguration
            {

                Issuer = "https://identityserver/IdentityServer/issue",
                AuthorizationEndpoint = "https://identityserver/IdentityServer/issue/oidc/authorize",
                TokenEndpoint = "https://identityserver/IdentityServer/issue/oidc/token",
                UserInfoEndpoint = "https://identityserver/IdentityServer/issue/oidc/userinfo",

            }
        });

config.json

"OpenID": {
"ClientId": "Test",
"ClientSecret": "{6DD502AB-2AB1-4028-BD4A-85C91790EC7B}",
"Authority": "https://identityserver/IdentityServer/issue/oidc",
"PostLogoutRedirectUri": "https://localhost:44353/" }

当我尝试进行身份验证时，出现以下异常：

HttpRequestException：响应状态码不表示成功：400（错误请求）。

thinktectureIdentityServer.svclog 的踪迹是

如果有人能提供任何帮助，将不胜感激。

【问题讨论】：

标签： asp.net-core openid-connect thinktecture-ident-server thinktecture asp.net-core-middleware

【解决方案1】：

通过处理 OnAuthorizationCodeReceivedEvent 并手动处理代码赎回，我已经克服了上述错误，其中我添加了一个 Basic Authorization 标头来授权客户端。

new OpenIdConnectOptions
{
    ...

    Events = new OpenIdConnectEvents
    {
       OnAuthorizationCodeReceived = async context =>
       {
           context.HandleCodeRedemption();

           var requestMessage = new HttpRequestMessage(HttpMethod.Post, context.Options.Configuration.TokenEndpoint);

           requestMessage.Content = new FormUrlEncodedContent(context.TokenEndpointRequest.Parameters);

           var authString = string.Format("{0}", Convert.ToBase64String(Encoding.ASCII.GetBytes(_config["OpenID:ClientId"] + ":" + _config["OpenID:ClientSecret"])));

           requestMessage.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", authString);

           var responseMessage = await context.Backchannel.SendAsync(requestMessage);

           responseMessage.EnsureSuccessStatusCode();
           var tokenResonse = await responseMessage.Content.ReadAsStringAsync();
           var jsonTokenResponse = JObject.Parse(tokenResonse);
           context.TokenEndpointResponse = new OpenIdConnectMessage(jsonTokenResponse);
       }
    }

    ...

});

为了进行最终调用以检索 UserInfo，我必须更改身份服务器以在响应中包含与 Id 令牌中的主题匹配的主题。这涉及更新 UserInfoController 以在 Get 方法中添加声明。

【讨论】：