您使用智威湯遜或參考標記嗎?
引用令牌由授權機構身份服務器驗證。使用不同的身份服務器並驗證由另一個驗證令牌提供的令牌可能很困難。如果您正在使用JWT,則可以使用Discovery-Endpoint捕獲公鑰。然後,你應該能夠用它來驗證簽名......
你可以做到這一點,如:
// Define the client to access the IdentityServer Discovery-Endpoint
var discos = new DiscoveryClient(ConfigurationManager.AppSettings["IdentityserverLocation"]);
var disco = await discos.GetAsync();
// get the public key from the discovery-endpoint
var keys = disco.KeySet.Keys;
//Build the authorization request
//param: Disco.AuthorizeEndpoint --> retrieves the authorization url from the identityserver
var request = new AuthorizeRequest(disco.AuthorizeEndpoint);
var url = request.CreateAuthorizeUrl(
clientId: ConfigurationManager.AppSettings["ClientId"],
responseType: "id_token",
scope: "openid profile email",
responseMode: OidcConstants.ResponseModes.FormPost,
redirectUri: ConfigurationManager.AppSettings["RedirectUrl"],
state: CryptoRandom.CreateUniqueId(),
nonce: CryptoRandom.CreateUniqueId());
//Try to initiate validation
try
{
// Check if the token data exists in the request, parse is to a correct token
var idToken = Request.Form.Get("id_token");
JwtSecurityToken j = new JwtSecurityToken(idToken);
var keylist = new List<SecurityKey>();
foreach (var webKey in disco.KeySet.Keys)
{
var exp = Base64Url.Decode(webKey.E);
var mod = Base64Url.Decode(webKey.N);
var key = new RsaSecurityKey(new RSAParameters() { Modulus = mod, Exponent = exp });
keylist.Add(key);
}
//define the parameters for validation of the token
var parameters = new TokenValidationParameters
{
ValidIssuer = disco.Issuer,
ValidAudience = "viper",
IssuerSigningKeys = keylist,
};
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
//validate the token using the defined parameters, return the token when validation is succesful
var user = handler.ValidateToken(j.RawData, parameters, out var validatedtoken);
在配置你的資源服務器使用Identity Server進行驗證,你需要指定的東西,如範圍和權限......所有的身份服務器都具有相同的「權限」,就像URI一樣。 – Mashton
很想看到這個答案...有類似的情況,但使用兩個域名指向相同的身份服務器實例 - 也沒有工作,因爲你必須將Api資源的「Auhority」設置爲單個URI。 –