.net5 identityservice4 客户端模式
.net5 identityservice4 相关包以及术语
Quickstart UI
包含一个简单的入门UI,包括登录,注销和授权询问页面。
Access token validation middleware
用于验证API中令牌的ASP.NET Core身份验证处理程序。处理程序允许在同一API中支持JWT和reference Token。
Identity
IdentityServer的ASP.NET Core Identity集成包。此包提供了一个简单的配置API,可以让IdentityServer用户使用ASP.NET Identity。
EntityFramework Core
IdentityServer的EntityFramework Core存储实现。这个包提供了IdentityServer的配置和操作存储的EntityFramework Core实现。
第一步安装identityservice4模板
dotnet new -i IdentityServer4.Templates
打开模板项目https://localhost:5001/.well-known/openid-configuration
出现
{
"issuer": "https://localhost:5001",//验证的网站站点
"jwks_uri": "https://localhost:5001/.well-known/openid-configuration/jwks",//获取验证jwt数字签名的公钥
"authorization_endpoint": "https://localhost:5001/connect/authorize",
"token_endpoint": "https://localhost:5001/connect/token",//获取token
"userinfo_endpoint": "https://localhost:5001/connect/userinfo",//获取用户信息
"end_session_endpoint": "https://localhost:5001/connect/endsession",//注销
"check_session_iframe": "https://localhost:5001/connect/checksession",
"revocation_endpoint": "https://localhost:5001/connect/revocation",
"introspection_endpoint": "https://localhost:5001/connect/introspect",
"device_authorization_endpoint": "https://localhost:5001/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": ["openid", "offline_access"],
"claims_supported": ["sub"],
"grant_types_supported": ["authorization_code", "client_credentials", "refresh_token", "implicit", "urn:ietf:params:oauth:grant-type:device_code"],
"response_types_supported": ["code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token"],
"response_modes_supported": ["form_post", "query", "fragment"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"id_token_signing_alg_values_supported": ["RS256"],
"subject_types_supported": ["public"],
"code_challenge_methods_supported": ["plain", "S256"],
"request_parameter_supported": true
}
public class IdentityServer
{
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "client1",
// AllowedGrantTypes = GrantTypes.ClientCredentials,//客户端模式
//AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,//密码模式
AllowedGrantTypes = GrantTypes.Code,// 授权码 模式
// AllowedGrantTypes = GrantTypes.Implicit,// 隐藏 模式
RedirectUris = { "http://localhost:5008/api/Identity/Get"}, // 认证成功后允许的回调地址
// RequireConsent = false, //隐藏模式下面的是否需要确认授权.
RequirePkce= false,//授权码模式下面的
// 用于认证的密码
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowAccessTokensViaBrowser=true, //允许token通过浏览器 (必须 true)
// 客户端有权访问的范围(Scopes)
AllowedScopes = {
"api1",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
};
}
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope("api1", "我的 API"),
};
}
/// <summary>
/// 密码模式下面的用户资源
/// </summary>
/// <returns></returns>
public static List<TestUser> GetTestUsers()
{
return new List<TestUser>
{
new TestUser
{
SubjectId="1",
Username="admin",
Password="123456"
}
};
}
}
}
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryClients(IdentityServer.GetClients())
.AddInMemoryApiScopes(IdentityServer.GetApiScopes())
//.AddTestUsers(IdentityServer.GetTestUsers())密码模式
.AddTestUsers(IdentityServerHost.Quickstart.UI.TestUsers.Users)
;
app.UseIdentityServer(); // 要放在 UseRouting 的后面
在客户端api项目中
// 认证和授权中间件要放到路由中间后面
app.UseAuthentication();
app.UseAuthorization();
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", o => {
o.Authority = "http://localhost:5007";
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateAudience = false
};
})
;
[Route("api/[controller]/[action]")]
[Authorize]
public class IdentityController : ControllerBase
{
[HttpGet]
public string Get()
{
return "ids4";
}
}