IdentityModel.AspNetCore 反向通道 HttpClient 的代理凭据存在问题
我正在使用 IdentityModel.AspNetCore 来管理后台服务中的客户端访问令牌。只能通过使用 Windows 身份验证的公司代理服务器访问互联网。
代理服务器在 Windows 选项中配置,后台服务检测设置,但是身份验证不起作用,我不断收到 代理“http://proxy:8080/”的代理隧道请求失败的状态代码“407”。如何配置 HttpClient 以使用 Windows 凭据对代理服务器进行身份验证?
我已经尝试过以下方法,但这不起作用:
services.AddAccessTokenManagement(options =>
{
options.Client.Clients.Add("sapci", new ClientCredentialsTokenRequest
{
Address = hostContext.Configuration["HttpProxy:TokenEndpoint"],
ClientId = hostContext.Configuration["HttpProxy:ClientId"],
ClientSecret = hostContext.Configuration["HttpProxy:ClientSecret"],
GrantType = OidcConstants.GrantTypes.ClientCredentials,
AuthorizationHeaderStyle = BasicAuthenticationHeaderStyle.Rfc2617,
ClientCredentialStyle = ClientCredentialStyle.AuthorizationHeader
});
})
.ConfigureBackchannelHttpClient(client => new HttpClient(new HttpClientHandler()
{
DefaultProxyCredentials = CredentialCache.DefaultCredentials,
}));
I'm using IdentityModel.AspNetCore to manage client access tokens in a background service. Access to the internet is only possible through a corporate proxy server which uses windows authentication.
The proxy server is configured in Windows options and the background service detects the settings, however authentication doesn't work and I'm constantly getting The proxy tunnel request to proxy 'http://proxy:8080/' failed with status code '407'. How can I configure the HttpClient to use the windows credentials for authentication against the proxy server?
I've already tried the following, but this doesn't work:
services.AddAccessTokenManagement(options =>
{
options.Client.Clients.Add("sapci", new ClientCredentialsTokenRequest
{
Address = hostContext.Configuration["HttpProxy:TokenEndpoint"],
ClientId = hostContext.Configuration["HttpProxy:ClientId"],
ClientSecret = hostContext.Configuration["HttpProxy:ClientSecret"],
GrantType = OidcConstants.GrantTypes.ClientCredentials,
AuthorizationHeaderStyle = BasicAuthenticationHeaderStyle.Rfc2617,
ClientCredentialStyle = ClientCredentialStyle.AuthorizationHeader
});
})
.ConfigureBackchannelHttpClient(client => new HttpClient(new HttpClientHandler()
{
DefaultProxyCredentials = CredentialCache.DefaultCredentials,
}));
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我相信您可以在应用程序启动时执行此操作,以确保捕获所有客户端使用情况:
我会将您的问题减少到部署一个最小的控制台应用程序并使用与您的服务相同的用户帐户等运行它。一旦工作正常,您的主应用程序也会工作。
有时这些事情也与基础设施相关:例如,在过去,在 IIS 集群环境中,我必须使用服务帐户并注册服务主体名称,例如以防止使用计算机帐户。我怀疑这与 .Net Core / Kestrel 有关,我假设您正在使用它。
I believe you can do this at app startup, to ensure you capture all client usages:
I would reduce your problem to deploying a minimal console app and running it with the same user account etc as your service. Once that works your main app will also.
Sometimes these things are infrastructure related also: eg in the past, with IIS clustered environments, I've had to use a service account and register a service principal name, eg to prevent use of computer accounts. I doubt that is relevant to .Net Core / Kestrel though, which I assume you are using.