在OpenIdConnect中使用声明。ASP。净5

在过去的7天里,我尝试设置ASP。NET 5 WebApi使用 OpenIdConnect.Server 资源所有者流。

我在生成令牌和访问 [Authorize] 受保护的动作。

然而,当我尝试访问 this.User.Identity.Claims ,它是空的。我正在使用ASP。NET 5,beta 6(升级到最新的beta 7并等待其正式发布时遇到问题)

在“启动”中。我得到了以下信息:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCaching();

    services.AddEntityFramework()
        .AddSqlServer()
        .AddDbContext<AuthContext>(options =>
        {
            options.UseSqlServer(Configuration.Get("Data:DefaultConnection:ConnectionString"));
        });

    services.AddIdentity<AuthUser, AuthRole>(
        options => options.User = new Microsoft.AspNet.Identity.UserOptions
        {
            RequireUniqueEmail = true,
            UserNameValidationRegex = "^[a-zA-Z0-9@_\\.-]+$"
        })
        .AddEntityFrameworkStores<AuthContext, Guid>()
        .AddDefaultTokenProviders();

    services.ConfigureCors(configure =>
    {
        configure.AddPolicy("CorsPolicy", builder =>
        {
            builder.WithOrigins("http:/localhost/", "http://win2012.bludev.com/");
        });
    });

    services.AddScoped<IAuthRepository, AuthRepository>();
}

    public void Configure(IApplicationBuilder app)
    {
        var factory = app.ApplicationServices.GetRequiredService<ILoggerFactory>();
        factory.AddConsole();

        app.UseStaticFiles();

        app.UseOAuthBearerAuthentication(options =>
        {
            options.Authority = "http://win2012.bludev.com/api/auth/";
            options.Audience = "http://win2012.bludev.com/";

            options.AutomaticAuthentication = true;

            options.TokenValidationParameters = new TokenValidationParameters()
            {
                RequireExpirationTime = true,
                RequireSignedTokens = true,
                RoleClaimType = ClaimTypes.Role,
                NameClaimType = ClaimTypes.NameIdentifier,

                ValidateActor = true,
                ValidateAudience = false,
                ValidateIssuer = true,
                ValidateLifetime = false,
                ValidateIssuerSigningKey = true,
                ValidateSignature = true,

                ValidAudience = "http://win2012.bludev.com/",
                ValidIssuer = "http://win2012.bludev.com/"
            };
        });

        app.UseOpenIdConnectServer(options =>
        {
            options.Issuer = new Uri("http://win2012.bludev.com/api/auth/");
            options.AllowInsecureHttp = true;
            options.AuthorizationEndpointPath = PathString.Empty;
            options.Provider = new AuthorizationProvider();
            options.ApplicationCanDisplayErrors = true;

            // Note: in a real world app, you'd probably prefer storing the X.509 certificate
            // in the user or machine store. To keep this sample easy to use, the certificate
            // is extracted from the Certificate.pfx file embedded in this assembly.
            options.UseCertificate(
                assembly: typeof(Startup).GetTypeInfo().Assembly,
                resource: "AuthExample.Certificate.pfx",
                password: "Owin.Security.OpenIdConnect.Server");
        });

        app.UseIdentity();

        app.UseMvc();
    }
}

我用过 app.UseOAuthBearerAuthentication 因为我无法得到 app.UseOpenIdConnectAuthentication 工作时,我只会在控制台中看到:

请求:/admin/user/警告: [MMicrosoft.AspNet.Authentication.OpenIdConnect.OpenIdConnect Authentica] [中间件]OIDCH_0004:OpenIdConnectAuthenticationHandler: 消息状态为null或为空。请求: /.已知/opnid配置警告: [MMicrosoft.AspNet.Authentication.OpenIdConnect.OpenIdConnect Authentica] [中间件]OIDCH_0004:OpenIdConnectAuthenticationHandler: 消息状态为null或为空。

超时后出现异常

错误:[Microsoft.AspNet.Server.WebListener.MessagePump] ProcessRequestAsync系统。InvalidOperationException:IDX10803:无法 创建以从以下位置获取配置: ' http://win2012.bludev.com/api/auth/.well-known/openid-configuration ' .at Microsoft.IdentityModel.Loging.LogHelper.Throw(字符串 消息,类型exceptionType,EventLevel logLevel,异常 innerException)位于 Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__24.MoveNext() ---从上一个引发异常的位置开始的堆栈结尾跟踪---在 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(任务 任务)位于 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNot 通知(任务任务) ...

使用此配置 UseOpenIdConnectAuthentication

app.UseOpenIdConnectAuthentication(options =>
{
    options.AuthenticationScheme = OpenIdConnectAuthenticationDefaults.AuthenticationScheme;

    options.Authority = "http://win2012.bludev.com/api/auth/";
    options.Audience = "http://win2012.bludev.com/";
    options.Resource = "http://win2012.bludev.com/";

    options.AutomaticAuthentication = true;

    options.TokenValidationParameters = new TokenValidationParameters()
    {
        RequireExpirationTime = true,
        RequireSignedTokens = true,
        RoleClaimType = ClaimTypes.Role,
        NameClaimType = ClaimTypes.NameIdentifier,

        ValidateActor = true,
        ValidateAudience = false,
        ValidateIssuer = true,
        ValidateLifetime = false,
        ValidateIssuerSigningKey = true,
        ValidateSignature = true
    };

});

所以真正的问题是:

1. 如何使资源所有者流处理索赔
2. ValidateLifetime = true 或 ValidateAudience = true 将引发异常并导致Http Code 500响应而没有打印错误。
3. 如何将身份验证失败转化为一个有意义的400/403代码和一个json或xml响应(取决于客户端偏好),以显示给用户?(在这种情况下,JavaScript是客户端)?