Identity Server的3 - invalid_scope

Question

我實施了Identity Server 3的

AuthorizationCode流當我登錄，我得到一個invalid_scope例外。

這裏是我的客戶：

new Client 
{ 
    Enabled = true, 
    ClientName = "Web Application", 
    ClientId = "webapplication", 
    Flow = Flows.AuthorizationCode, 

    ClientSecrets = new List<Secret> 
    { 
     new Secret("webappsecret".Sha256()) 
    }, 

    RedirectUris = new List<string> 
    { 
     UrlManager.WebApplication 
    }, 
    PostLogoutRedirectUris = new List<string> 
    { 
     UrlManager.WebApplication 
    }, 

    AllowedScopes = new List<string> 
    { 
     Constants.StandardScopes.OpenId, 
     Constants.StandardScopes.Profile, 
     Constants.StandardScopes.Email, 
     Constants.StandardScopes.Roles, 
     Constants.StandardScopes.OfflineAccess 
    } 
} 

這裏是我的啓動：

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions 
{ 
    Authority = UrlManager.AuthenticationService + "identity", 

    ClientId = "webapplication", 
    Scope = "openid profile offline_access", 
    ResponseType = "code", 
    RedirectUri = UrlManager.WebApplication, 

    SignInAsAuthenticationType = "Cookies", 

    Notifications = 
      new OpenIdConnectAuthenticationNotifications 
      { 
       AuthorizationCodeReceived = async n => 
       { 
        // use the code to get the access and refresh token 
        var tokenClient = new TokenClient(
         UrlManager.TokenEndpoint, 
         "webapplication", 
         "webappsecret"); 

        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
         n.Code, n.RedirectUri); 

        if (tokenResponse.IsError) 
        { 
         throw new Exception(tokenResponse.Error); 
        } 

        // use the access token to retrieve claims from userinfo 
        var userInfoClient = new UserInfoClient(
        new Uri(UrlManager.UserInfoEndpoint), 
        tokenResponse.AccessToken); 

        var userInfoResponse = await userInfoClient.GetAsync(); 

        // create new identity 
        var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType); 
        id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims); 

        id.AddClaim(new Claim("access_token", tokenResponse.AccessToken)); 
        id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString())); 
        id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken)); 
        id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken)); 
        id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value)); 

        n.AuthenticationTicket = new AuthenticationTicket(
         new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"), 
         n.AuthenticationTicket.Properties); 
       } 
      } 
}); 

這裏是我的OpenID的配置：

{ 
    "issuer":"https://localhost:44329/identity", 
    "jwks_uri":"https://localhost:44329/identity/.well-known/jwks", 
    "authorization_endpoint":"https://localhost:44329/identity/connect/authorize", 
    "token_endpoint":"https://localhost:44329/identity/connect/token", 
    "userinfo_endpoint":"https://localhost:44329/identity/connect/userinfo", 
    "end_session_endpoint":"https://localhost:44329/identity/connect/endsession", 
    "check_session_iframe":"https://localhost:44329/identity/connect/checksession", 
    "revocation_endpoint":"https://localhost:44329/identity/connect/revocation", 
    "introspection_endpoint":"https://localhost:44329/identity/connect/introspect", 
    "frontchannel_logout_supported":true, 
    "frontchannel_logout_session_supported":true, 
    "scopes_supported":[ 
     "openid", 
     "profile", 
     "email", 
     "phone", 
     "address", 
     "alpha", 
     "beta" 
    ], 
    "claims_supported":[ 
     "sub", 
     "name", 
     "family_name", 
     "given_name", 
     "middle_name", 
     "nickname", 
     "preferred_username", 
     "profile", 
     "picture", 
     "website", 
     "gender", 
     "birthdate", 
     "zoneinfo", 
     "locale", 
     "updated_at", 
     "email", 
     "email_verified", 
     "phone_number", 
     "phone_number_verified", 
     "address" 
    ], 
    "response_types_supported":[ 
     "code", 
     "token", 
     "id_token", 
     "id_token token", 
     "code id_token", 
     "code token", 
     "code id_token token" 
    ], 
    "response_modes_supported":[ 
     "form_post", 
     "query", 
     "fragment" 
    ], 
    "grant_types_supported":[ 
     "authorization_code", 
     "client_credentials", 
     "password", 
     "refresh_token", 
     "implicit" 
    ], 
    "subject_types_supported":[ 
     "public" 
    ], 
    "id_token_signing_alg_values_supported":[ 
     "RS256" 
    ], 
    "code_challenge_methods_supported":[ 
     "plain", 
     "S256" 
    ], 
    "token_endpoint_auth_methods_supported":[ 
     "client_secret_post", 
     "client_secret_basic" 
    ] 
} 

支持的範圍不包含offline_access。我可以從我的日誌中看到offline_access是導致問題的範圍。

這是爲什麼？如何配置我的服務器以允許支持offline_access範圍？

Answer 1

將標準範圍添加到範圍配置爲我解決了這個問題。

public static IEnumerable<Scope> Get() 
{ 
    var scopes = new List<Scope> 
    { 
     StandardScopes.OfflineAccess 

     // your scopes listed here 
    } 
}